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FOREWORD 


For  most  military  analysts,  the  term  "deterrence" 
brings  to  mind  the  notion  of  nuclear  deterrence.  We 
think  of  how  two  opposing  states  attempt  to  deter 
their  adversaries  through  creating  a  balance  of  weap¬ 
ons,  telegraphing  their  intentions,  and  establishing 
themselves  as  a  credible  threat.  We  think  of  the  Cold 
War,  and  the  standoff  between  the  Soviet  Union  and 
the  United  States. 

However,  in  this  Letort  Paper,  Dr.  Mary  Manjik- 
ian  raises  the  intriguing  notion  that  the  best  analogy 
when  thinking  about  cyber-deterrence  does  not  actu¬ 
ally  come  from  the  nuclear  arena  but  rather  from  the 
literature  about  border  controls.  Drawing  on  a  rich 
literature,  including  case  studies  of  successful  and  un¬ 
successful  attempts  at  securing  the  Southern  border 
of  the  United  States,  she  demonstrates  that  the  ap¬ 
proaches,  strategies,  and  costs  of  carrying  out  physi¬ 
cal  border  defense  and  virtual  border  defense  have 
many  similarities.  First,  Dr.  Manjikian  argues  that  the 
actors  we  most  need  to  deter  in  cyberspace  are  often 
not  states  but  rather  may  include  a  broad  coalition  of 
threats  —  including  insiders,  state  and  nonstate  actors, 
and  members  of  a  criminal  element.  Just  as  is  the  case 
when  we  consider  our  physical  borders,  not  every¬ 
one  who  attempts  to  traverse  our  virtual  borders  uses 
the  same  methods,  nor  do  they  have  the  same  inten¬ 
tions.  Thus,  differentiated  deterrence  strategies  can 
be  framed  and  used,  depending  on  the  nature  of  the 
threat  and  the  adversary's  intentions. 

Furthermore,  Dr.  Manjikian  argues  that  in  cyber¬ 
deterrence,  there  is  no  clear  moment  of  a  "standoff" 
between  two  opposing  sides  — as  we  often  see  in  the 
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nuclear  arena.  Instead,  the  actions  taken  by  those  at¬ 
tempting  to  defend  borders  in  cyberspace  and  those 
who  attempt  to  trespass  them  are  ongoing. 

In  addition,  just  as  is  the  case  in  real  space-border 
incursions,  over  time  trespassers  learn  more  about 
their  adversaries'  defenses.  Each  time  they  make  an 
incursion  across  the  border  they  gain  new  information 
about  how  resources  are  organized,  where  they  are 
deployed,  and  where  the  weak  points  in  our  defense 
are.  Thus,  each  incursion  —  even  when  unsuccessful  — 
ups  the  chances  that  the  next  incursion  will  succeed. 
Moreover,  the  costs  of  defense  often  are  significantly 
greater  than  the  costs  of  mounting  another  incursion. 
Over  time,  the  trespasser's  costs  may  decrease,  while 
the  defender's  costs  remain  constant. 

Perhaps  most  significantly,  Dr.  Manjikian  explains 
why  disparate  elements  who  share  a  border  will  not 
always  work  together  to  defend  that  border.  In  consid¬ 
ering  physical  borders,  building  a  wall  or  setting  up 
a  checkpoint  in  one  location  may  simply  cause  those 
seeking  entry  to  move  on  to  consider  a  different  entry 
point,  which  is  not  as  well  defended.  Similarly,  both 
corporations  and  agencies  may  unwittingly  create 
security  threats  for  other  agencies  or  corporate  rivals 
through  adopting  a  more  stringent  defense  of  their  own 
borders. 

This  analysis  raises  interesting  questions  and  will 
give  readers  much  to  consider  in  thinking  through  the 
issue  of  cyber-deterrence  today.  This  novel  approach 
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will  also,  I  hope,  lead  to  the  creation  of  novel  solutions 
as  we  address  the  growing  threat  of  cybertrespass 
today. 


DOUGLAS  C.  LOVELACE,  JR. 
Director 

Strategic  Studies  Institute  and 
U.S.  Army  War  College  Press 


IX 


ABOUT  THE  AUTHOR 


MARY  MANJIKIAN  is  Associate  Dean  of  the  Rob¬ 
ertson  School  of  Government  at  Regent  University. 
She  previously  served  as  a  U.S.  Foreign  Service  offi¬ 
cer  in  The  Netherlands,  Russia,  and  Bulgaria,  and  as 
a  Fulbright  Scholar  at  Durham  University's  Institute 
of  Advanced  Study.  Dr.  Manjikian's  publications  in¬ 
clude  Apocalypse  and  Post-Politics:  The  Romance  of  the 
End  (Lexington  Books,  2012);  Tltreat  Talk:  Comparative 
Politics  of  Internet  Addiction  in  China  and  the  US  (Ash- 
gate,  2012);  and  Securitization  of  Property  Squatting  in 
Western  Europe  (Routledge,  2013).  Her  articles  have 
also  appeared  in  such  journals  as  International  Studies 
Quarterly,  International  Journal  of  Intelligence  and  Coun¬ 
terintelligence,  Intelligence  and  National  Security,  and 
International  Feminist  Journal  of  Politics.  Dr.  Manjikian 
holds  an  M.Phil.  from  Oxford  University  and  a  Ph.D. 
from  the  University  of  Michigan. 


XI 


SUMMARY 


In  recent  years,  analysts  have  begun  discussing 
strategies  for  securing  entities  in  cyberspace  —  includ¬ 
ing  the  files  and  software  belonging  to  corporations, 
government  institutions,  and  private  individuals. 
Increasingly,  analysts  have  suggested  utilizing  two 
types  of  deterrence  strategies:  deterrence  by  denial 
and  deterrence  by  punishment.  In  determining  how 
both  deterrence  strategies  might  be  applied  to  pre¬ 
venting  hostile  individuals,  states,  and  nonstate  ac¬ 
tors  from  entering  cyberspace  and  inflicting  damage 
there,  analysts  have  borrowed  from  deterrence  strate¬ 
gies  that  have  been  framed  for  a  variety  of  other  situ¬ 
ations.  While  the  tendency  among  members  of  the 
military  community  is  to  look  to  other  military  situ¬ 
ations— such  as  nuclear  war,  or  the  use  of  biological 
or  chemical  weapons  — in  which  deterrence  strategies 
may  have  been  used,  it  is  my  contention  that  these 
scenarios  are  not  necessarily  the  best  fit  for  describing 
what  happens  in  cyberspace.  Rather,  my  intent  in  this 
Letort  Paper  is  to  look  at  other  literature  that  refers  to 
deterrence  strategies  —  namely,  criminology  literature, 
which  looks  at  strategies  and  tactics  for  deterring  il¬ 
legal  immigration. 

In  the  first  section  of  this  Letort  Paper,  three 
possible  strategies  for  responding  to  criminal  be¬ 
havior  as  presented  in  the  criminology  literature 
are  described,  including:  prevention  by  design; 
deterrence  by  denial;  and  deterrence  by  punish¬ 
ment.  Moreover,  this  Letort  Paper  suggests  that 
cyber-deterrent  strategies  are  more  properly  catego¬ 
rized  as  prevention  by  design  strategies  rather  than 
deterrence  by  denial  strategies,  and  the  difference 
between  the  two  is  explained. 
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The  second  section  points  to  existing  problems  of 
applying  the  theories  regarding  nuclear  deterrence  to 
the  cyberconflict  situation  —  focusing  in  particular  on 
the  knowledge  problem  (the  problem  of  attribution) 
and  the  temporal  problem  (the  ways  in  which  time 
functions  in  cyberspace),  both  of  which  are  spelled  out 
in  greater  detail  in  that  section. 

The  third  section  explains  what  can  be  learned 
from  the  criminology  example  of  providing  border 
security.  In  the  border  security  case,  we  are  able  to  see 
how  different  types  of  would-be  aggressors  are  ap¬ 
proached  differently,  how  targeted  strategies  are  cre¬ 
ated,  and  how  border  security  is  an  issue  that  needs  to 
be  handled  in  association  with  related  issues,  includ¬ 
ing  economic  ones.  Then,  the  section  examines  the 
ways  in  which  the  United  States  has  been  able  to  work 
with  its  neighbors  in  creating  border  security. 

Finally,  the  concluding  section  of  this  Letort  Paper 
draws  on  the  border  security  example  to  develop  les¬ 
sons  for  the  provision  of  cybersecurity. 


XIV 


DETERRING  CYBERTRESPASS  AND  SECURING 
CYBERSPACE:  LESSONS  FROM  UNITED  STATES 
BORDER  CONTROL  STRATEGIES 


I.  THREE  TYPES  OF  CRIMINAL  DETERRENT 
STRATEGIES:  PREVENTION  BY  DESIGN; 
DETERRENCE  BY  DENIAL;  AND  DETERRENCE 
BY  PUNISHMENT 

As  noted,  the  concept  of  deterrence  does  not  be¬ 
long  solely  to  military  and  strategic  studies  scholars. 
Indeed,  there  is  an  equally  broad  literature  about  de¬ 
terrence  within  the  fields  of  criminology  and  even  the 
health  sciences.  In  those  contexts,  analysts  consider 
the  ways  in  which  individuals  and  sometimes  groups 
may  be  induced  to  alter  or  desist  in  their  harmful  be¬ 
haviors  through  a  combination  of  deterrence  by  de¬ 
nial  and  deterrence  by  punishment  strategies.  Ana¬ 
lysts  have  asked  how  individuals  and  groups  may  be 
deterred  from  engaging  in  activities  such  as  driving 
while  intoxicated,1  dealing  in  illegal  drugs,2  or  batter¬ 
ing  their  spouse  or  significant  other.3 

The  criminological  model  of  deterrence  and  the 
work  done  by  academic  criminologists  on  practices 
of  deterring  offenders  provide  many  useful  lessons 
for  those  interested  in  understanding  more  about  the 
ways  deterrence  can  and  does  work  in  cyberspace. 
As  Lynn  Zimmer  suggests  in  her  work  on  deterring 
drug  trafficking  in  American  cities,  criminal  deter¬ 
rence  strategies  ideally  seek  to  accomplish  two  goals. 
The  first  is  that  they  are  concerned  with  capturing  and 
sometimes  preempting  offenders  to  make  sure  that 
they  do  not  offend  and  re-offend.  However,  deterrence 
strategies  are  also  important  for  creating  order  within 
a  region  or  a  neighborhood.  By  "cracking  down"  on 
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those  who  seek  to  engage  in  activities  that  are  violent 
and  disruptive  to  the  community  as  a  whole,  a  collec¬ 
tive  good  —  stability  and  peace  — is  distributed  to  the 
entire  community.4  This  same  pattern  holds  true  in 
cyberspace:  U.S.  cyber-deterrence  initiatives,  as  well 
as  those  deterrence  initiatives  carried  out  by  other 
states  and  even  corporations  within  cyberspace,  seek 
to  preempt  or  prevent  the  carrying  out  of  costly,  dan¬ 
gerous,  and  disruptive  attacks  against  government 
and  civilian  critical  infrastructure.  However,  these 
deterrence  initiatives  also  seek  to  preserve  the  peace, 
stability,  and  order  of  cyberspace  so  that  the  benefits 
of  the  Internet  may  be  enjoyed  by  all  citizens.5  That 
is,  criminological  literature  explicitly  acknowledges 
the  fact  that  deterrence  is  not  simply  an  elite  strategy, 
practiced  by  elites  and  affecting  only  elites  within  the 
system.  Rather,  deterrence  is  a  way  of  securing  space 
for  all  citizens  within  the  community. 

In  addition,  the  criminology  literature  —  particu¬ 
larly  the  literature  about  illegal  immigration— focuses 
on  the  actors  involved  in  these  activities.  As  Frank 
Cilluffo  et  al.  noted,  the  nuclear  deterrence  analogy 
might  not  be  a  good  fit  with  the  cyber-deterrence 
puzzle  because  its  overwhelming  focus  is  on  hard¬ 
ware— the  weapons  that  are  used  to  demonstrate 
resolve.  However,  Cilluffo  et  al.  argued  that  the  real 
threat  in  cyberspace  comes  not  from  the  code  itself, 
but  rather  from  the  individuals  and  groups  (includ¬ 
ing  criminal  elements,  state-sponsored  terrorists,  and 
foreign  militaries)  who  seek  to  use  code  and  computer 
exploits  (actions  that  take  advantage  of  a  computer 
bug  or  vulnerability)  to  enter  and  destroy  parts  of  cy¬ 
berspace.  Thus,  they  argue,  the  key  to  defeating  these 
intrusions  lies  not  in  focusing  on  weapons  but  on  the 
individuals  and  groups  who  use  them— through  a 
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better  understanding  of  their  motivations,  views,  and 
conceptualizations  of  risk  and  threat.6  It  therefore  may 
be  more  useful  to  ask:  "How  do  deterrence  strategies 
prevent  individuals  from  driving  while  intoxicated, 
from  engaging  in  domestic  violence,  or  from  engaging 
in  illegal  immigration  — and  what  can  we  learn  from 
these  situations  that  is  relevant  to  the  best  ways  to  de¬ 
ter  cyber-intruders  rather  than  to  dwell  at  length  on 
specific  technological  specifications  and  their  effects 
on  driving  or  ending  the  cyber-arms  race?" 

In  addition,  the  literature  on  deterring  criminal  be¬ 
havior  does  not  assume  — as  nuclear  deterrence  writ¬ 
ing  does  — that  motives  are  unalterable  and  incapable 
of  being  changed.  Looking  predominantly  at  individ¬ 
ual  law-breaking  behavior,  this  literature  pays  more 
attention  to  the  way  individuals  make  choices  to  en¬ 
gage  in  behavior  the  authorities  wish  to  deter,  as  well 
as  the  circumstances  that  might  create  these  behaviors 
to  begin  with.  For  example,  a  study  of  driving  while 
intoxicated  does  not  consider  merely  what  remedies 
are  most  effective  in  reducing  or  deterring  the  behav¬ 
ior,  but  may  also  engage  with  the  "why  questions"  — 
the  reasons  some  deterrent  strategies  work  better  than 
others.  Another  "why  question"  could  be  the  degree 
to  which  a  penalty  for  drunk  driving  might  lead  to  a 
cessation  of  the  behavior,  rather  than  merely  a  deci¬ 
sion  to  engage  in  the  behavior  in  another  state  where 
perhaps  penalties  are  less  strict.  That  is,  the  strategy 
does  not  take  preferences  as  given,  but  also  asks  how 
preferences  might  be  changed.7 

Furthermore,  the  criminological  literature  on  de¬ 
terrence  is  in  some  ways  much  richer  than  that  about 
nuclear  deterrence,  which  cyber-analysts  have  thus 
far  devoted  the  bulk  of  their  attention  to.  Because 
there  are  so  many  instances  of  crimes,  such  as  illegal 
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immigration,  drug  trafficking,  or  driving  under  the  in¬ 
fluence— and  so  few  cases  of  nuclear  launches  —  there 
are  a  much  wider  variety  of  cases  of  both  successful 
and  failed  deterrence  efforts  for  analysts  to  examine. 
Because  the  emphasis  is  on  understanding  a  mass 
rather  than  an  elite  phenomenon,  we  have  the  op¬ 
portunity  to  use  methodologies  to  study  the  problem 
that  would  not  be  available  in  studying  nuclear  deter¬ 
rence,  for  example.  In  particular,  as  this  Letort  Paper 
indicates,  there  are  numerous  studies  of  illegal  immi¬ 
gration  based  on  survey  data  and  interviews  collected 
from  both  failed  and  successful  illegal  immigrants. 
This  data  allows  us  to  speak  at  greater  length  about 
the  individual  psychological  decision-making  pro¬ 
cesses,  which  individuals  undergo  in  reacting  to  a  de¬ 
terrent,  as  well  as  to  understand  better  which  types  of 
deterrents  are  more  or  less  successful  in  preventing  an 
attack.  The  criminology  literature  is  also  much  more 
explicit  about  the  end  goals  sought  in  utilizing  deter¬ 
rence  strategies.  Analysts  ask,  "Do  we  want  to  reform 
the  criminal,  to  cause  him  not  to  engage  in  criminal 
behavior  anymore,  or  merely  prevent  him  from  rob¬ 
bing  my  house?"  In  each  case,  the  action  is  deterred, 
but  the  result  is  somewhat  different,  not  only  for  the 
person  implementing  the  strategies  but  for  his  or  her 
neighbors  as  well. 

What  Can  Studies  of  Drunk  Drivers  Teach  Us 
About  Cyber-Deterrence? 

Valid  lessons  can  be  culled  from  examining  sur¬ 
veys  of  would-be  immigrants  in  particular  to  help 
us  understand  how  potential  cyber-aggressors  think 
about  issues,  including  strategy,  tactics,  targeting,  and 
the  likelihood  of  success  and  failure.  In  presenting 
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both  nuclear  deterrent  and  criminal  deterrent  strate¬ 
gies,  analysts  rely  on  certain  assumptions  about  how 
individuals  make  decisions,  based  on  the  notion  of  the 
rational  actor.  In  each  case,  analysts  assume  that  the 
actor  who  is  deciding  whether  to  act  is  aware  of  his 
or  her  preferences;  that  he  or  she  is  able  to  state  those 
preferences  and  to  rank-order  them;  and  that  he  or 
she  is  aware  of  the  costs  and  benefits  (the  utility)  as¬ 
sociated  with  these  preferences.  Models  also  assume 
that  deterrence  strategies  can  be  effective  in  changing 
the  actions  of  individuals  and  groups,  and  that  out¬ 
side  analysts  are  able  to  interpolate  the  actors'  prefer¬ 
ences  to  assign  value  to  and  rank  them  and  to  rank 
the  preferred  options  and  outcomes  of  each  side  in  the 
conflict. 

Within  criminology  literature,  analysts  distinguish 
between  not  two  but  three  different  types  of  deterrent 
strategies.  The  first  is  deterrence,  or  prevention  by 
design.  In  these  cases,  analysts  may  assume  that  the 
behavior  they  are  trying  to  prevent  is  not  ultimately 
preventable,  because  of  human  nature,  social  prac¬ 
tices,  or  another  variable.  In  such  cases,  a  decision  is 
made  that  it  is  not  cost-effective  — or  perhaps  not  even 
possible  — to  seek  to  change  individual's  preferences 
and  practices.  Therefore,  officials  may  decide  not  to 
spend  time  and  money  on  convincing  individuals  not 
to  deface  public  property,  not  to  engage  in  prostitution, 
or  not  to  text  and  drive.  Instead,  they  may  work  with 
designers,  architects,  or  even  medical  personnel  to  put 
measures  in  place  that  make  the  individual  unable  to 
engage  in  his  or  her  desired  action  regardless  of  his  or 
her  preferences.  Design  modifications  —  or  barriers  — 
might  include  requiring  sex  offenders  to  take  medica¬ 
tion  that  makes  sexual  activity  impossible;  develop¬ 
ing  special  repellent  paints  to  use  in  public  places  that 
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make  producing  graffiti  impossible;  or  constructing 
a  physical  structural  wall  between  bordering  nations 
to  make  illegal  immigration  impossible. 8  Indeed,  the 
design  of  many  computer  firewalls  is  properly  under¬ 
stood  as  a  form  of  prevention  by  design. 

Although  such  designs  may  be  highly  effective,  it 
is  worth  noting  that  adopting  such  strategies  has  its 
limitations,  since  it  does  not  actually  change  the  pref¬ 
erence  structure  of  the  would-be  offender,  nor  does 
it  establish  community  norms  against  the  behavior. 
Instead,  prevention  by  design  strategies  often  merely 
stem  a  particular  set  of  behaviors  at  a  particular  geo¬ 
graphic  location.  However,  since  the  strategies  do  not 
change  preferences,  it  is  likely  that  the  would-be  of¬ 
fenders  will  simply  move  on  to  perform  the  undesir¬ 
able  behavior  at  a  different  location.  For  example,  a 
business  that  plays  old-fashioned  music  to  discourage 
teens  from  loitering  outside  the  establishment  has  not 
actually  solved  the  problem  of  loitering  but  has  only 
encouraged  the  teens  to  move  on  to  a  different  loca¬ 
tion  or  target. 

In  addition,  prevention  by  design  can  be  seen  as 
a  dynamic  process.  It  is  unlikely  that  the  "architects" 
of  this  policy  will  ever  arrive  at  a  perfect  solution  that 
prevents  all  of  the  unwanted  behaviors.  Instead,  one 
can  envision  a  scenario  in  which  would-be  rule  viola¬ 
tors  design  a  work-around  to  lessen  the  effects  of  the 
prevention  by  design  measure.  (For  example,  undocu¬ 
mented  immigrants  wishing  to  enter  the  United  States 
but  encountering  a  border  fence  might  choose  another 
location  to  make  their  entrance  attempt,  or  they  might 
hire  a  more  experienced  guide  to  assist  them  in  their 
efforts.)  Thus,  any  investment  in  prevention  by  design 
is  likely  to  be  temporary  or  of  limited  value.  It  is  not 
a  permanent  solution.  This  understanding  presents  a 
dilemma  —  since  the  creation  of  a  prevention  by  design 
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strategy  may  necessitate  a  long-term  investment  by 
an  actor  to  secure  what  is  perhaps  only  a  short-term 
advantage. 

Here,  the  lesson  for  cybersecurity  is  clear  as  well. 
Barriers  that  prevent  actors  from  accessing  a  system 
need  to  be,  as  Emilio  Iasiello  notes,  "relentlessly  moni¬ 
tored  and  adapted  to  a  constantly  changing  threat  en¬ 
vironment."9  Here  we  can  consider  events  in  2014  and 
2015,  in  which  much  of  the  energy  in  cyber-defense 
and  cyber-deterrence  was  aimed  at  improving  the 
security  of  major  corporations  (like  those  associated 
with  credit  cards  and  the  financial  system),  which 
succeeded  only  in  leaving  additional  vulnerabilities 
open,  such  as  the  possibility  that  hackers  would  then 
target  the  healthcare  industry. 

Prevention  by  design  strategies  are  also  unusual  in 
that  they  are  most  often  "one  size  fits  all."  strategy.  It 
is  harder  to  come  up  with  a  targeted  prevention  by 
design  strategy,  since  most  often  design  modifications 
will  prevent  all  affected  actors  from  engaging  in  the 
action  in  all  situations,  rather  than  merely  preventing 
some  individuals  in  some  situations.  For  example,  a 
municipality  that  designs  a  town  square  without  seat¬ 
ing  in  order  to  prevent  homeless  individuals  from 
taking  up  residence  in  the  square  will  not  succeed  in 
preventing  only  this  action.  Rather,  it  is  just  as  likely 
that  the  disabled  or  elderly  visitor  to  the  square  will 
also  have  nowhere  to  sit.  (Similarly,  an  Internet  filter 
meant  to  prevent  schoolchildren  from  accessing  sexu¬ 
al  content  might  also  affect  the  adults  working  at  the 
school,  preventing  them  from,  for  example,  preparing 
a  biology  lesson.)  Prevention  by  design  strategies  are, 
in  this  regard,  crude  but  highly  effective  strategies. 

Table  1  illustrates  how  prevention  by  design  strat¬ 
egies  work  in  three  areas  —  criminology,  law  enforce¬ 
ment,  and  cyber  security. 
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Field 

Action 

Prevent  by 
Design  Strategy 

Possible 

Outcomes 

Criminology: 

Driving  While 
Intoxicated 

Install  devices 
like  breathalyzers 
in  cars  to  prevent 
individuals  from 
driving  while 
drunk 

Individual  may 
decide  not  to  drive 
while  drunk,  OR 
he  may  procure 
another  vehicle 

Law 

Enforcement: 

Overcoming 
Border  Security 

Install  fences 
along  U.S. 
southern  border 

Individual  may 
decide  not  to 
immigrate,  or  may 
continue  to  make 
repeated  attempts, 
often  at  other 
locations 

Cybersecurity: 

Unauthorized 
Access  to 
systems 

Use  of  firewalls 

Individual  may 
decide  not  to 
access  and  may 
move  on,  choosing 
a  different  target 

Table  1.  Prevention  by  Design  Strategies. 

Writing  about  cyber-deterrence  frequently  con¬ 
flates  together  the  notion  of  prevention  by  design  and 
deterrence  by  denial,  since  this  distinction  is  not  as 
clear  in  the  international  relations  literature  as  it  is  in 
the  criminology  literature.  In  particular,  proponents 
of  cyber-deterrent  strategies  may  speak  of  raising  the 
costs  of  attack,  stating  that  an  adversary  may  preemp¬ 
tively  decide  not  to  attack  a  target  because  the  per¬ 
ceived  costs  of  attack  are  too  high  due  to  the  informa¬ 
tion  available  about  the  barriers  that  must  be  accessed 
surrounding  the  target.  Thus,  they  draw  on  the  writ¬ 
ings  of  the  military  strategist  Sun  Tzu,  who  suggested 
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that  the  best  conflict  is  the  one  you  are  never  forced  to 
fight  because  your  opponent  is  intimidated  and  with¬ 
draws  before  war  is  declared. 

In  point  of  fact,  one  can  raise  the  costs  of  an  attack 
either  through  design  modifications  —  such  as  a  bor¬ 
der  fence,  which  would  be  expensive  to  scale  without 
elaborate  equipment  or  outside  help  — or  through  a 
deterrence  by  denial  strategy,  such  as  export  controls, 
which  would  make  it  difficult  for  an  adversary  to  as¬ 
semble  the  necessary  components  to  carry  out  an  at¬ 
tack.  Here,  deterrence  by  denial  refers  to  the  creation 
of  barriers  to  entry,  which  would  raise  the  costs  and 
level  of  difficulty  experienced  by  would-be  hackers 
seeking  to  access  information  or  assets  through  cy¬ 
berspace.  In  such  a  circumstance,  the  expectation  is 
either  that  the  would-be  attackers  would  fail  in  their 
attempts,  or  that  they  would  preemptively  decide  not 
to  attack,  based  on  what  they  know  about  their  odds 
of  success  and  failure.  (That  is,  their  preferences  might 
actually  be  changed.) 

For  example,  an  opponent  who  contemplates  as¬ 
sembling  a  nuclear  weapon  might  be  prevented 
from  doing  so  through  a  concerted  effort  by  all  na¬ 
tions  within  the  international  community  not  to  allow 
rogue  nations  to  buy  enriched  uranium  or  acquire  the 
laboratory  equipment  and  technical  expertise  needed. 
Here,  a  multilateral  combination  of  monitoring,  ex¬ 
port  controls,  and  intelligence  activities  is  used  to¬ 
gether  to  deny  the  adversary  access  to  the  necessary 
components.  Deterrence  by  denial  strategies  may  thus 
rest  on  a  strategy  of  publicity  in  which  would-be  at¬ 
tackers  or  lawbreakers  are  made  aware  in  advance  of 
the  barriers  to  their  access,  or  they  may  be  carried  out 
covertly,  with  would-be  attackers  becoming  aware  of 
the  barriers  only  when  they  encounter  them  through 
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actions.  Braun  and  Chyba  (2004)  refer  to  such  a  regime 
as  a  "supply  side  strategy,"  since  the  aim  is  to  keep 
would-be  aggressors  from  procuring  the  necessary 
supplies  to  carry  out  their  attacks.10  Similarly,  Barnum 
distinguishes  between  "inward-looking  strategies," 
which  ask  the  defender  to  consider  what  his  or  her 
own  weaknesses  or  points  of  vulnerability  might  be, 
and  "outward-looking  strategies,"  which  might  con¬ 
sider  the  resources  that  the  community  as  a  whole  has 
to  defeat  the  aggressor.11 

While  the  two  strategies  —  prevention  by  design 
and  deterrence  by  denial  — might  look  similar  on  the 
surface,  they  are  not  in  fact  the  same  strategy.  Both 
are  strategies  that  require  planning  and  intelligence. 
Those  who  seek  to  prevent  an  action  or  deny  an  ad¬ 
versary  are  in  both  cases  acting  on  information  they 
already  have  on  what  the  adversary  is  likely  to  do. 
In  this  way,  both  strategies  are  proactive,  rather  than 
reactive.12  However,  prevention  through  design  is  a 
unilateral  strategy  that  any  individual  player  could 
mount.  It  does  not  require  any  outside  cooperation  to 
work,  nor  does  it  create  any  form  of  community  good. 
In  contrast,  deterrence  through  denial  may  be  carried 
out  either  unilaterally  or  multilaterally.13  In  a  multilat¬ 
eral  deterrence  strategy,  the  actors  wishing  to  deter  an 
action  may  cooperate  to  establish  a  regime  in  order  to 
create  a  community  good  (such  as  international  secu¬ 
rity).  A  multilateral  strategy  would  require  a  "buy-in" 
from  other  actors  within  a  neighborhood  or  interna¬ 
tional  community. 

Analysts  also  differ  as  to  whether  deterrence  by 
denial  strategies  are  effective  in  changing  the  prefer¬ 
ences  of  the  would-be  aggressor.  In  criminology  terms, 
consider  a  strategy  aimed  to  deter  underage  drink¬ 
ing  through  requiring  proper  identification  for  those 
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wishing  to  enter  an  establishment  serving  or  selling 
alcohol  (deterrence  by  denial),  as  well  as  through  pun¬ 
ishing  those  caught  with  illegal  possession  of  alcohol 
(deterrence  by  punishment).  It  is  possible  that  requir¬ 
ing  proper  identification  would  deter  some  individu¬ 
als  who  sought  illegal  access  to  alcohol,  while  others 
might  go  around  the  prohibition  by  procuring  a  false 
identification  card.14 

Also,  consider  the  example  of  international  export 
control  regimes  aimed  at  deterring  rogue  states  and 
nonstate  actors  from  securing  access  to  chemical,  bio¬ 
logical,  or  nuclear  weapons.  While  some  actors  might 
be  deterred  by  the  difficulties  erected  through  such  re¬ 
gimes,  others  might  be  more  persistent  —  and  instead 
of  abandoning  the  quest,  they  might  turn  to  other 
suppliers  for  the  needed  ingredients.  Alternately,  they 
might  choose  another  tactic  for  launching  their  attack, 
such  as,  for  example,  a  suicide  attack  over  a  biological 
weapons  attack. 

It  is  my  contention  that  in  discussing  cybersecurity 
initiatives,  many  examples  of  prevention  through  de¬ 
sign  approaches  have  actually  been  mislabeled  as  de¬ 
terrence  by  denial.  While  it  is  true  that  today  the  Unit¬ 
ed  States  is  involved  in  multilateral  efforts  to  secure 
cyberspace  and  to  deter  aggressors,  it  is  equally  true 
that  corporations  overwhelmingly  provide  only  for 
their  own  cybersecurity  and  that  they  are  reluctant  to 
provide  information  about  either  the  attacks  that  they 
have  undergone  or  those  that  they  have  prevented  in 
the  larger  community.  The  majority  of  cybersecurity 
initiatives  today —  particularly  those  undertaken  by 
corporate  actors  — are  unilateral,  aimed  not  at  secur¬ 
ing  a  public  good,  such  as  a  more  secure  cyberspace, 
but  rather,  securing  the  "borders"  of  particular  corpo¬ 
rations,  even  if  doing  so  means  increasing  the  likeli- 
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hood  that  the  same  actor  might  target  another  Ameri¬ 
can  entity.  In  each  case,  the  aim  of  the  protector  is  not 
to  change  the  strategy  or  practices  of  the  aggressor, 
but  instead,  merely  to  prevent  incursion  into  one's 
own  system.  In  Realist  terms,  one  could  argue  that 
prevention  by  design  is  a  selfish  strategy,  in  which  an 
organization  prioritizes  its  own  survival  over  that  of 
the  collective.  A  graphic  example  of  this  strategy  in 
practice  would  be  a  situation  in  which  New  Mexico, 
for  example,  became  a  stringent  enforcer  of  border  se¬ 
curity,  thus  leading  to  more  individuals  attempting  to 
cross  the  border  into  California.15 

SUGGESTIONS  FOR  PLANNERS 

In  considering  how  organizations  such  as  U.S.  Cy¬ 
ber  Command  might  work  with  corporations  to  pre¬ 
vent  unauthorized  access  to  both  corporate  informa¬ 
tion  and  specifically,  customer  information  belonging 
to  U.S.  citizens,  it  is  thus  important  to  consider  the 
difference  between  the  two  strategies  — prevention  by 
design  versus  deterrence  by  denial.  One  can  draw  the 
following  lessons  from  looking  at  prevention  by  de¬ 
sign  strategies: 

•  Do  not  assume  that  attackers  will  eventu¬ 
ally  "learn"  anything,  including  the  futility  of 
mounting  future  attacks. 

•  Do  not  expect  that  any  form  of  community  or 
shared  interests  would  evolve  among  organi¬ 
zations  predominantly  utilizing  a  prevention 
by  design  approach. 

•  When  one  player  increases  its  prevention  by 
design  level,  the  costs  may  be  passed  on  to  oth¬ 
er  organizations,  which  now  become  more  at¬ 
tractive  targets.  The  "arms  race"  created  is  thus 
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not  between  the  attacker  and  the  target,  but  be¬ 
tween  multiple  targets,  each  of  whom  wants  to 
be  seen  as  the  least  desirable,  most  difficult,  or 
most  expensive  site  for  attack.16 

•  Cyber-deterrent  barriers  need  to  be  dynamic. 
The  dilemma  is  that  a  long-term  investment 
may  be  required  to  produce  only  a  short-term 
advantage. 

Table  2  illustrates  differences  between  prevention  by 
design  and  deterrence  by  denial. 


Prevention  by  Design 

Deterrence  via  Denial 

Goal: 

Raise  costs,  barriers  to  attack 

Raise  costs,  barriers  to 
attack 

Actors: 

Individual  (corporation, 
municipality,  etc.) 

Individual  or  Community 

Goods  Created: 

Individual  Goods 

Individual  or  Community 
Goods 

Who  Is  Deterred? 

Everyone 

The  least  persistent  actors 

Desired  Actions: 

Attacker  will  choose  new  target 

Attacker  will  decide  not  to 
attack  or  choose  new  target 
or  strategy 

Table  2.  Prevention  by  Design  vs.  Deterrence 
by  Denial. 

The  final  deterrent  strategy  that  criminologists  re¬ 
fer  to  in  their  work  is  deterrence  by  punishment.  This 
term  refers  to  strategies  that  would  be  implemented 
to  punish  individuals  and  groups,  and  in  some  cases, 
their  sponsors  (including  state  sponsors),  once  access 
has  been  detected  and,  in  some  cases,  damage  has 
been  sustained.  While  both  prevention  by  design  and 
deterrence  by  denial  are  proactive  strategies  aimed 
at  preventing  a  breach  from  occurring,  deterrence  by 
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punishment  refers  to  actions  taken  after  a  breach  has 
occurred.  However,  one  can  also  deter  based  on  a 
threat  of  punishment— in  essence  effecting  the  calcu¬ 
lations  that  the  would-be  attacker  carries  out  before 
deciding  not  to  attack  based  on  the  likely  punishment 
for  doing  so.  That  is,  one  can  preempt  conflict  through 
the  creation  of  an  expectation  that  the  punishment  re¬ 
ceived  for  one's  attempt  is  far  greater  than  any  gain 
one  could  possibly  expect  to  receive  through  that 
attempt. 

Here,  criminologists  and  military  thinkers  part 
ways  in  their  analysis  of  deterrence  by  punishment. 
Theorists  within  military  ethics  and  international 
law  are  particularly  preoccupied  with  the  size  of  the 
threatened  punishment,  which  is  threatened,  and  they 
have  argued  about  whether  deterrence  by  punishment 
necessarily  rests  on  a  use  of  disproportionate  force  in 
relation  to  the  action  itself— a  situation  that  would 
seem  to  violate  the  international  law  principle  of 
proportionality.17  In  addition,  analysts  who  write 
about  nuclear  deterrence  speak  of  a  punisher's  re¬ 
solve  and  credibility:  consider,  for  example,  whether 
the  Soviet  Union  really  believed  that  the  United  States 
would  be  willing  to  inflict  a  nuclear  strike  during  the 
Cold  War  era. 

In  contrast,  criminologists  have  focused  on  the 
deterrent  effects  of  punishment,  focusing  not  on  the 
punishment  itself  but  on  the  way  the  would-be  ag¬ 
gressor  understands  that  punishment.  They  have 
asked  whether  young  miscreants  are  sufficiently  well 
informed  about  the  punishment  they  are  likely  to  re¬ 
ceive,  and  how  clearly  the  signal  regarding  their  likely 
punishment  has  been  received.  Findings  of  a  study 
about  drinking  and  driving  among  college  students 
found  that  the  best  predictors  of  an  effective  deter- 
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rence  by  punishment  strategy  were  the  "celerity" 
and  imminence  of  the  threatened  punishment  along 
with  the  certainty  and  severity  of  that  punishment. 
The  same  study  found  that  individuals  might  be  as 
affected  by  the  extra-legal  consequences  of  a  punish¬ 
ment  as  they  are  by  the  legal  ones.18  Here  again  the 
criminology  literature  is  more  nuanced,  distinguish¬ 
ing  between  serial  recidivists  and  one-time  offenders. 
In  this  way,  the  criminology  literature  enables  us  to 
examine  situations  of  iterated  deterrence,  which  have 
not  merely  one  deterrent  event  but  several.  As  argued 
in  Section  II  of  this  Letort  Paper,  the  iterative  nature 
of  cyberattacks  is  one  key  feature  that  distinguishes 
cyber-conflict  from  more  traditional  military  conflict, 
including  nuclear  conflict. 

II.  WHY  THE  NUCLEAR  ANALOGY  IS  A  BAD  FIT 

As  noted,  most  queries  regarding  how  deterrence 
might  be  applied  in  cyberspace  thus  far  have  been 
based  on  an  analysis  of  the  literature  on  nuclear  de¬ 
terrence.19  Analysts  have  asked  whether  it  might  be 
possible  to  draw  a  "red  line"  in  cyberspace,  or  set  up 
conditions  under  which  aggressors  would  become 
aware  that  their  actions  were  subject  to  deterrence 
by  punishment.20  They  have  also  described  the  ways 
in  which  the  "battlespace"  has  been  secured  through 
the  use  of  nuclear  weapons,  and  asked  whether  cy¬ 
berweapons,  along  with  more  conventional  weapons, 
could  not  play  a  similar  role  in  defending  the  cyber- 
battlespace.21  Parallels  are  frequently  drawn  between 
the  mutually  assured  destruction  (MAD),  which 
would  be  created  if  both  sides  were  to  use  nuclear 
weapons  in  a  bilateral  conflict  during  the  Cold  War, 
and  that  MAD  might  occur  today  in  cyberspace  if 
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deterrence  measures  were  to  fail.22  In  his  essay,  “Cy¬ 
ber  Deterrence:  Is  a  Deterrence  Model  Practical  in  Cy¬ 
berspace,"  Nathaniel  Youd  again  considers  the  nucle¬ 
ar-cyberwarfare  parallel  in  suggesting  that  while  the 
threat  of  MAD  may  have  been  the  impetus  for  later 
attempts  at  nuclear  disarmament,  such  an  event  is  un¬ 
likely  with  reference  to  cyberwarfare.23 

However,  applying  the  literature  on  nuclear  de¬ 
terrence  to  the  evolving  situation  in  cyberspace  is  not 
a  perfect  fit  — for  several  reasons.  In  the  next  section 
of  this  Letort  Paper,  several  specific  problems,  which 
help  to  distinguish  deterrence  in  cyberspace  from  de¬ 
terrence  in  the  nuclear  arena,  are  considered.  These 
issues  include  the  knowledge  problem  or  the  problem 
of  attribution;  the  temporal  problem,  or  the  ways  in 
which  time  functions  in  cyberspace  as  opposed  to  dur¬ 
ing  nuclear  attacks;  the  payoff  or  reward  structure  for 
both  types  of  events;  and  the  fact  that  nuclear  deter¬ 
rence  was  largely  an  elite  activity  carried  out  by  spe¬ 
cialists,  whereas  cyber-deterrence  is  a  populist  activ¬ 
ity  that  includes  several  different  types  of  actors  and 
in  which  publicity,  declaratory  policy,  and  signaling 
become  increasingly  important  throughout  the  inter¬ 
actions.  Table  3  provides  a  brief  summary  of  these 
differences  in  approach. 
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Nuclear  Deterrence 

Cyber-Deterrence 

Attribution/ 

knowledge 

•  Actors  are  specified. 

•  Both  sides  have  infor¬ 
mation  about  adver¬ 
sary's  weapons,  strate¬ 
gies,  and  values. 

•  Actors  are  initially  unspecified, 
becoming  clearer  as  the  interaction 
proceeds. 

•  All  actors  must  speculate  about 
others'  motives,  weapons,  strate¬ 
gies,  and  values. 

Temporal 

frame 

•  Interactions  are  not 
connected.  Success 
in  one  interaction  may 
not  affect  capabilities 
or  chance  of  success  in 
future  interactions. 

•  Interactions  are  iterated. 

•  As  they  proceed,  both  sides  ac¬ 
quire  more  information. 

•  Later  interactions  may  not  resem¬ 
ble  earlier  interactions  as  strategy, 
resolve,  knowledge,  and  capabili¬ 
ties  evolve. 

Payoff 

structure 

•  Interaction  produces  a 
clear  winner  and  loser. 

•  Action  is  zero-sum  (one 
side  wins  while  other 
loses  through  backing 
down,  or  failing  to  dem¬ 
onstrate  resolve). 

•  Iterated  nature  means  that  even 
the  loser  gains:  He  acquires  more 
knowledge  about  his  adversary, 
which  is  used  against  the  adver¬ 
sary  in  a  future  interaction. 

•  Attacker  may  gain  credibility  or 
fame  through  launching  an  attack, 
even  if  he  fails. 

Elite/ 

populist 

•  Actions,  weapons,  and 
strategies  are  classified. 

•  Cleared  individuals  who 
do  not  share  information 
carry  out  actions  and 
strategies. 

•  Public  may  have  a  stake 
in  the  outcome  but  does 
not  have  any  responsi¬ 
bility  to  participate  or  be 
informed. 

•  Actions,  weapons,  and  strategies 
may  be  the  subject  of  public  knowl¬ 
edge  and  speculation. 

•  Individuals,  groups,  corporations, 
and  state  actors  carry  out  actions. 

•  Corporate  employees  and  citizens 
may  be  called  upon  to  “help”  in 
cyber-deterrence  effort  through 
practicing  good  cyber-hygiene  and 
reporting  suspected  attacks. 

Demonstrate 

resolve/ 

capability 

•  Signaling  function  may 
be  clear-cut. 

•  Signaling  function  is  frequently 
unclear. 

Table  3.  Differences  between  Nuclear  Deterrence 
and  Cyber-Deterrence. 
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The  Knowledge  Problem:  Attribution, 

Puzzles,  and  Mysteries. 

As  noted  earlier,  nuclear  deterrence  literature  re¬ 
lies  on  a  game  theory  model  in  which  there  are  clear 
policy  consequences  associated  with  each  of  the  clear¬ 
ly  defined  choices  a  state  may  face.  Thus,  in  describing 
and  understanding  how  great  powers  made  decisions 
about  how  to  behave  during  a  nuclear  standoff,  ana¬ 
lysts  could  assume  that  they  knew  who  their  adversary 
was,  what  weapons  he  or  she  possessed,  the  power 
associated  with  those  weapons  and  the  consequences 
for  each  side  associated  with  each  policy  choice.  In  ad¬ 
dition,  the  field  of  nuclear  forensics  made  it  possible  to 
identify  particular  components  as  belonging  to  partic¬ 
ular  actors.  In  this  way,  there  was  a  clear  trail  from  the 
attack  back  to  the  attacker.24  In  addition,  nuclear  de¬ 
terrence  is  zero-sum,  meaning  that  in  each  altercation, 
one  side  could  be  said  to  have  succeeded  while  the 
other  failed.  It  was  quite  obvious  in  a  nuclear  standoff 
who  the  winner  and  loser  were.  Finally,  it  is  obvious 
what  constitutes  an  act  of  war  in  nuclear  war:  it  is  the 
launch  of  a  missile.  In  contrast,  it  is  not  entirely  clear 
what  constitutes  an  act  of  war  in  cyberspace,  nor  are 
the  ideas  of  territory  or  boundaries  clearly  defined  or 
agreed  upon  within  international  law.25 

In  addition,  as  Robert  Jervis  points  out,  nuclear  de¬ 
terrence  theory  suggests  that  all  actors  contemplating 
a  nuclear  attack  see  the  world  in  similar  ways,  based 
on  similar  assumptions.  Thus,  one  assumes  that  they 
have  similar  motives  and  intents  as  well  as  a  similar 
time  frame.26  This  set  of  assumptions  may  well  hold 
in  considering  nuclear  deterrence  doctrines,  but  it  is 
problematic  in  considering  the  applicability  of  these 
doctrines  to  cyberspace.  Instead,  as  Robert  Siciliano 
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has  noted,  cyber-incursions  into  U.S.  Government  and 
private  cyber-assets  are  carried  out  by  a  variety  of  dif¬ 
ferent  actors  with  a  variety  of  different  motives.  Not  all 
actors  see  risk  the  same  way,  nor  are  all  equally  com¬ 
mitted  to  the  achievement  of  their  objectives.27  Indeed, 
recent  discussions  about  the  problem  of  asymmetric 
warfare  in  cyberspace  are  an  acknowledgement  of  this 
reality  —  that  deterrence  by  punishment  strategies  can¬ 
not  be  "one  size  fits  all"  —  since  not  all  attackers  have 
the  same  critical  infrastructure  and  assets  belonging  to 
their  group  or  state.  Therefore,  it  is  not  possible  for  the 
United  States  or  another  defender  to  strike  back  at  a 
group  in  the  same  way  in  which  they  themselves  may 
have  been  struck.28 

However,  in  thinking  about  the  altercations  that 
have  taken  place  thus  far  in  cyberspace,  one  is  re¬ 
minded  of  the  words  of  the  analyst  Gregory  Treverton 
who  drew  our  attention  to  the  differences  between 
puzzles  and  mysteries  in  describing  the  task  of  in¬ 
telligence  gatherers  today.  In  his  work,29  Treverton 
suggests  that  the  task  of  intelligence  during  the  Cold 
War  was  mostly  to  "fill  in  the  blanks"  —  or  to  provide 
answers  to  clearly  specified  questions  such  as,  "How 
many  ICBMs  does  the  Soviet  Union  have  and  where 
are  they  stationed?"  Once  one  gathered  all  these  puz¬ 
zle  pieces  together,  one  could  have  a  clear  picture  of 
the  battlefield  and  the  risks  associated  with  various 
strategies.  In  contrast,  he  argues  that  in  the  post-Cold 
War  Era,  the  questions  that  confront  intelligence  plan¬ 
ners  are  not  puzzles,  but  mysteries.  The  questions  are 
frequently  broader  and  less  clearly  specified.  They 
may  include  the  word  "Why"  and  ask  for  specula¬ 
tion  about  motives,  which  are  unclear  and  sometimes 
poorly  specified.  Thus,  a  mystery  might  include  a 
query  like,  "Who  are  our  enemies  and  why  do  they 
wish  to  harm  us?" 
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We  can  compare  the  knowledge  environment  of 
the  1962  Cuban  Missile  Crisis  to  the  Spring  2015  cyber¬ 
attacks  on  the  U.S.  Office  of  Personnel  Management, 
believed  to  have  been  carried  out  by  the  Chinese  state- 
sponsored  group  Deep  Panda.  In  recent  years,  Deep 
Panda  has  attacked  American  think  tanks  and  human 
rights  groups,  as  well  as  defense,  healthcare,  govern¬ 
ment,  and  technology  firms.30  Here,  cyberspace  attri¬ 
bution  is  not  a  one-time  process  in  which  one  is  im¬ 
mediately  right  or  wrong  in  terms  of  one's  assessment 
of  who  committed  the  attack.  Instead,  as  Eric  Jensen 
notes,  attribution  may  take  place  along  a  spectrum 
where,  "over  time  a  victim  becomes  more  and  more 
certain  of  who  committed  the  attack."31  And  here,  as 
we  can  see,  intelligence  plays  a  much  larger  role  in 
helping  actors  think  through  and  make  sense  of  the 
battlesp ace  —  helping  to  see  through  deceptions,  such 
as  actors  who  "spoof"  or  pretend  to  be  other  actors, 
helping  to  draw  connections  between  groups  who 
might  not  at  first  glance  appear  to  be  connected,  and 
providing  answers  to  mysteries  such  as,  "Who  is  my 
attacker  and  what  does  he  want?" 

We  might  also  compare  the  winter  2014-15  attacks 
on  the  Anthem  healthcare  corporation,  which  are  also 
believed  to  have  been  the  work  of  Deep  Panda.  In  the 
Anthem  intrusion,  the  security  firm  which  investigat¬ 
ed  the  break-in  was  able  to  match  the  Internet  Proto¬ 
col  (IP)  address  associated  with  the  malware  to  other 
known  IP  addresses  associated  with  Chinese  govern¬ 
ment  information  warfare  divisions32  — but  this  only 
occurred  after  the  break-in  had  been  identified.  The 
two  parties  thus  never  came  "eye  to  eye"  —  since  the 
American  entity  did  not  immediately  realize  that  they 
were  under  attack,  nor  did  they  know  the  identity  of 
their  attackers  until  much  later. 
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The  Temporal  Problem:  The  Iterative  Nature  of 
Cyber-Defense. 

In  comparing  nuclear  and  cyber-deterrent  environ¬ 
ments,  one  also  needs  to  consider  the  different  tempo¬ 
ral  environments  —  or  the  way  in  which  time  factors 
into  decision-making  in  each  environment.  Here,  as 
Joseph  Nye,  Jr.  points  out,  "Nuclear  explosions  are 
unambiguous  and  immediate;  cyber-intrusions  can 
plant  logic  bombs  in  the  infrastructure  that  may  go 
unnoticed  for  long  periods."33  That  is,  the  temporal 
logic  for  both  types  of  deterrence  is  different.  In  the 
nuclear  example,  if  a  defending  state  wishes  to  deter 
an  attack  through  a  show  of  force,  that  show  must 
take  place  within  a  specified  period  of  time  in  order 
to  cause  an  attacker  to  "back  down"  —  as  in  the  Cuban 
Missile  Crisis.  Academic  writing  about  nuclear  deter¬ 
rence  thus  often  focuses  on  situations  of  high  conflict34 
in  which  both  sides  adopt  "brinksmanship"  strate¬ 
gies.  The  assumption  is  that  there  is  one  particular 
moment  when  two  adversaries  come  eye  to  eye  with 
one  another,  and  in  which  each  side  must  decide  how 
to  react— whether  to  launch  the  nuclear  weapon  or  to 
withdraw.35 

In  contrast,  as  John  Rollins  and  Clay  Wilson  note 
in  their  analysis  of  cyberterrorist  attacks,  cyberattacks 
are  frequently  not  individual,  discrete  incidents.  In¬ 
stead,  as  they  point  out,  cyber-incidents  tend  to  blur 
the  line  between  war,  criminality,  and  terrorism.36 
Thus,  the  incidents  themselves  cannot  be  neatly  de¬ 
fined  in  terms  of  either  their  temporal  frame  or  their 
effects,  which  may  spill  over  beyond  their  original  tar¬ 
gets.  Instead,  Rollins  and  Wilson  note  that: 


21 


Because  of  interdependencies  among  infrastructure 
sectors,  a  large-scale  cyberattack  that  affected  one  sec¬ 
tor  could  also  have  disruptive,  unpredictable,  and  per¬ 
haps  devastating  effects  on  other  sectors,  and  possibly 
long-lasting  effects  to  the  economy.37 

Thus,  in  contrast  to  nuclear  deterrence,  cyber-deter¬ 
rence  is  not  a  process  that  acts  during  a  specified  pe¬ 
riod  of  time;  rather  it  is  a  constant  and  dynamic  pro¬ 
cess,  as  attackers  may  come  back  again  and  again  to 
attempt  to  access  the  same  site;  they  may  also  retreat 
from  a  site  and  then  use  information  gleaned  from  the 
initial  assault  to  re-enter  and  wreak  more  damage  at 
a  later  date.  Within  cyber-politics,  such  intrusions  are 
referred  to  as  "advanced  persistent  threats  (APT)." 
Dmitri  Alperovich  describes  a  scenario  involving 
cyberthreats  as  follows: 

The  adversaries,  especially  the  nation-state  types, 
don't  consider  the  battle  or  their  mission  to  be  over 
just  because  they  got  kicked  out  of  the  network.  Af¬ 
ter  all,  they  have  a  job  to  do:  get  in,  and  stay  in  no 
matter  how  hard  it  is  or  how  many  roadblocks  they 
face  . . .  And  till  now,  the  only  way  to  'win'  was  to  pre¬ 
pare  yourself  for  the  long  fight  with  an  understanding 
that  the  adversaries  won't  relent  and  you  have  to  be 
vigilant  and  alert  to  beat  back  each  and  every  wave  of 
attack.38 

As  the  National  Nuclear  Security  Administration 
notes,  the  U.S.  nuclear  security  enterprise  may  experi¬ 
ence  up  to  10  million  security  events  per  day,  while 
the  U.S.  Department  of  Homeland  Security  notes  that 
tens  of  thousands  of  cyber-intrusions  are  carried  out 
each  year.39  Thus,  Iasiello  argues  that  cybersecurity 
needs  to  be  both  ongoing  and  dynamic,  that  while 
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one's  enemy  may  be  temporarily  deterred  from  a  par¬ 
ticular  target,  this  is  seldom  the  end  of  the  matter.40 

Furthermore,  cyber-deterrence  tends  to  "decay" 
over  time  in  a  way  that  nuclear  deterrence  does  not, 
since,  as  Jensen  notes,  cyberweapons,  unlike  nuclear 
weapons,  are  "single  use"  weapons.41  Once  a  weapon 
has  been  displayed  to  an  adversary  and  the  larger 
community,  its  effectiveness  is  limited.  Others  can 
easily  copy  it  and  modify  it,  and  the  developer  sel¬ 
dom  has  a  long-term  advantage  as  the  creator  of  the 
weapon.  As  a  result,  cyber-deterrence  strategies  are 
less  likely  to  end  in  a  stalemate,  which  creates  long¬ 
term  stability  — as  the  nuclear  analogy  might  suggest. 
Instead,  adversaries  are  likely  to  experience  crisis  in¬ 
stability,  wishing  to  act  quickly  after  achieving  a  new 
weapon  or  technology  in  order  to  wring  all  possible 
advantages  out  of  that  situation  before  it  changes  once 
again. 

However,  the  most  striking  difference  between 
nuclear  and  cyber-deterrence  scenarios  is  the  fact  that 
cyberattacks  or  cyber-altercations  are  seldom  a  "one- 
off"  event  that  is  never  repeated.  Rather,  as  Brandon 
Valeriano  and  Ryan  Maness  have  shown  in  their  da¬ 
tabase  of  cyber-conflict,  it  is  best  understood  as  a  set 
of  iterated  or  repeated  interactions,  often  among  the 
same  players  who  spar  again  and  again  in  cyberspace. 
The  idea  of  a  stand-off— in  the  manner  of  the  Cuban 
Missile  Crisis,  between  two  clearly  identified  and 
known  adversaries  —  is  not  the  most  likely  scenario  to 
occur  in  cyberspace.42  Instead,  Valeriano  and  Maness 
suggest  that  over  time,  the  conflict  may  heat  up,  even¬ 
tually  leading  to  a  full-fledged  cyberwar,  such  as  what 
occurred  between  Russia  and  Georgia.43 
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The  ongoing  nature  of  cyberattack  also  suggests 
that  since  there  is  no  "brinksmanship  moment,"  de¬ 
terrent  strategies  are  also  likely  to  be  less  effective  in 
preventing  conflict.  Within  the  nuclear  arena,  we  often 
speak  of  a  brinksmanship  crisis,  defined  by  Richard 
Lebow  as  "a  confrontation  in  which  states  challenge 
important  commitments  of  adversaries  in  the  expecta¬ 
tion  that  the  adversaries  will  back  down."44  That  is, 
classical  deterrence  theory  is  concerned  not  only  with 
preventing  enemy  incursions  once  they  have  been 
launched  or  in  punishing  incursions  once  they  have 
occurred  (or  been  detected),  but  also  with  the  notion 
of  "winning  through  intimidation"  —  of  convincing 
your  enemy  that  there  is  no  point  in  attacking  you, 
since  he  or  she  would  surely  lose,  and  thus  causing 
the  enemy  to  change  what  he  or  she  wants  or  chooses 
to  pursue  in  advance,  since  there  is  surely  no  way  to 
get  it.  In  the  nuclear  deterrence  literature,  the  notion 
of  MAD  assumes  that  within  a  clearly  defined  brinks¬ 
manship  moment,  there  are  payoffs  that  both  sides 
would  prefer  to  avoid  because  their  consequences  are 
unthinkable.45  In  this  way,  the  deterrence  strategies  of 
both  sides  can  be  understood  as  a  way  of  preventing 
escalation  from  a  conventional  to  a  nuclear  arms  race, 
and  on  some  level,  a  way  of  forcing  a  minimal  level 
of  cooperation,  which  creates  collective  goods  for  the 
community  as  a  whole,  including  stability  (bipolarity) 
and  the  absence  of  nuclear  conflict.  Nuclear  confronta¬ 
tion  thus  is  meant  to  produce  an  equilibrium  or  solu¬ 
tion  set,  which  can  be  reached  and  will  prevent  further 
escalation  and  create  stability.  Here  we  can  consider 
the  statement  by  General  Bernard  Brodie  who  stated 
in  1946:  "Thus  far  the  chief  purpose  of  our  military 
establishment  has  been  to  win  wars.  From  now  on, 
its  chief  purpose  must  be  to  avert  them.  It  can  have 
almost  no  other  useful  purpose."46 
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In  considering  cyber-deterrent  strategies,  howev¬ 
er,  since  they  lack  a  brinksmanship  moment,  it  may 
be  preferable  to  speak  of  prevention  through  design, 
rather  than  deterrence  by  denial.  The  image  of  mul¬ 
tiple  actors  (individuals  and  groups)  relentlessly  ham¬ 
mering  against  the  "gates"  of  an  enterprise  to  seek 
entrance  seems  to  have  little  to  do  with  creating  the 
conditions  under  which  they  change  their  minds  about 
entering  — as  deterrent  strategies  would  suggest— and 
more  to  do  with  building  higher  walls,  including  fire¬ 
walls,  in  order  to  ensure  that  the  target  is  not  over¬ 
run.  In  addition,  as  noted  earlier,  would-be  intruders 
seldom  abandon  their  quest;  rather  they  merely  move 
on  and  choose  another  target,  as  is  common  in  preven¬ 
tion  through  design.  As  a  result,  deterrent  strategies 
for  cyberspace  will  need  to  be  long-range  targeted, 
and  carried  out  within  an  interagency  context.47 

Finally,  time  behaves  differently  in  cyberspace 
strategies,  since  companies  today  may  start  with  the 
assumption  the  hacking  has  already  occurred  and  the 
hacker  is  already  inside  the  network.  That  is,  the  "con¬ 
flict"  began  without  the  defender  being  aware  of  it.  As 
the  defenders  respond,  they  may  be  said  to  be  "deter¬ 
ring"  further  actions,  but  they  are  clearly  not  prevent¬ 
ing  the  hackers  from  entering.  Here  again,  one  could 
argue  that  what  the  defender  is  really  doing  is  more 
akin  to  prevention  through  design,  as  he  builds  struc¬ 
tures  (like  mazes,  hidden  files  and  decoy  files  known 
as  "honeypots")  to  lure  attackers  away  from  the  assets 
he  or  she  most  wishes  to  defend.48  Table  4  shows  the 
timing  of  event  differences  between  nuclear  and  cyber¬ 
conflicts. 


25 


Nuclear 

Cyber 

Events 

•  May  be  one-off. 

•  Brinksmanship  moment. 

•  May  be  iterated,  ongoing. 

Beginning 
of  event 

•  Declared,  obvious— takes 
place  in  real  time,  with  real 
time  reactions. 

•  May  “win  through  intimida¬ 
tion”  through  convincing 
attacker  to  back  down  BE¬ 
FORE  he  or  she  attacks. 

•  May  not  be  obvious  until 
event  has  already  begun  or 
even  finished. 

•  Defender  may  be  reacting  to 
an  ongoing  event. 

End  of  event 

•  Obvious:  one  side  backs 
down  and  is  declared  the 
loser. 

•  Non-obvious:  defender  may 
still  not  be  aware  that  event 
has  occurred,  or  may  not 
be  able  to  identify  his  or  her 
opponent  yet. 

Properties 

•  Deterrence  can  create 
stability. 

•  Weapons'  utility  remains 
relatively  constant. 

•  Weapons'  effectiveness 
decays  quickly. 

•  Tendency  toward  crisis 
instability,  “striking  while  the 
iron  is  hot.” 

Table  4.  Time  in  Nuclear  and  Cyber-Conflict. 

The  fact  that  conflict  is  ongoing  —  often  between  the 
same  adversaries,  occurring  along  a  spectrum  where 
there  is  no  clear  end  point,  beginning  point,  or  brinks- 
manship  moment  — has  implications  for  the  way  we 
think  about  the  payoffs  or  rewards  that  cyberattackers 
may  gain  or  lose  in  cyber-conflict  today.  It  also  affects 
how  we  think  about  the  costs  associated  with  partici¬ 
pating  in  cyber-conflict  and  in  preparing  for  it. 

The  Learning  Problem:  The  Payoff  of  a 
Failed  Attack. 

As  the  previous  section  has  indicated,  cyberattacks 
might  be  more  properly  viewed  as  part  of  an  ongo¬ 
ing  campaign,  rather  than  as  individual  attacks.  This 
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distinction  is  important,  since  the  reward  structure  is 
different  for  aggressors  in  a  campaign  than  for  aggres¬ 
sors  within  a  specific  conflict.  The  reward  structure  is 
also  different  for  defenders  in  a  campaign.  In  consid¬ 
ering  cyber-deterrence,  two  important  facts  emerge. 

First,  deterrence  in  the  cyber-realm  is  not  iterative. 
That  is,  deterring  one  attack  does  not  increase  your 
chances  at  deterring  subsequent  attacks.  Here  again, 
we  can  distinguish  between  a  nuclear  environment 
in  which  a  player  might  leverage  a  success  in  one  in¬ 
teraction  into  successes  in  other  areas  or  in  future  in¬ 
teractions.  That  is,  in  the  nuclear  arena  for  the  United 
States,  prevailing  publicly  in  an  event  like  the  1962 
Cuban  Missile  Crisis  created  power  and  credibility 
that  could  then  be  leveraged  against  future  attacks. 
The  United  States  demonstrated  resolve,  which  made 
it  look  more  threatening  to  others  within  the  interna¬ 
tional  system  as  well  as  toward  the  Soviet  Union  in 
particular.  However,  because  there  is  no  brinksman- 
ship  moment  in  cyber-conflict  today,  it  is  theoretically 
possible  for  a  defender  to  beat  an  opponent's  planned 
attacks  and  to  gain  nothing  from  having  done  so  —  be¬ 
cause  the  less  public  nature  of  cyber-conflict  means 
there  is  no  guarantee  that  anyone  will  know  the  de¬ 
terrence  occurred.  In  addition,  there  is  no  guarantee 
that  the  next  attack  will  resemble  the  first  in  any  way 
nor  that  the  next  attack  will  be  committed  by  the  same 
actor. 

Secondly,  while  deterrence  is  not  iterative,  cyber¬ 
attacks  are.  That  is,  while  the  defender  may  win  little 
by  successfully  defending  a  target,  the  attacker  may 
win  much  more  —  even  if  he  or  she  does  not  succeed  in 
obtaining  the  target,  because  of  the  nature  of  the  ongo¬ 
ing  campaign  being  waged.  That  is,  when  an  adver¬ 
sary  succeeds  in  hacking  into  a  system,  the  odds  are 
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increased  that  he  or  she  will  subsequently  be  success¬ 
ful  in  infiltrating  the  same  or  similar  systems  —  since 
each  attack  provides  more  information  about  the  ad¬ 
versary  that  can  be  used  in  preparing  subsequent  at¬ 
tacks.  Succeeding  once  thus  increases  the  odds  that 
the  attacker  will  succeed  again.  Thus,  paradoxically,  a 
failed  attempt  in  cyberspace  might  not  weaken  one's 
opponent,  but  might  instead  strengthen  him  or  her, 
allowing  the  attacker  to  come  back  later  and  attempt 
to  attack  a  target  again,  equipped  with  increased 
knowledge,  new  skills  and  perhaps  even  better  out¬ 
side  support.  (In  contrast,  "backing  down"  from  a  nu¬ 
clear  confrontation  is  seen  as  a  failure,  which  confers 
no  benefit  on  the  would-be  aggressor,  who  may  lose 
prestige  within  the  international  community  as  his  or 
her  reputation  declines.)  This  way,  even  though  a  cy¬ 
berattacker  may  be  deterred,  he  or  she  may  actually  be 
incentivized  to  wish  to  return  and  try  a  subsequent  in¬ 
cursion,  armed  with  the  increased  knowledge  derived 
from  the  first  attempt.49  Current  strategic  thinking 
about  deterrence  by  denial  and  deterrence  by  punish¬ 
ment  does  not  allow  for  the  possibility  of  one's  adver¬ 
saries  deriving  a  reward  within  a  deterrence  scenario, 
especially  when  they  fail. 

This  point— about  the  rewards  of  failed  attempts 
within  the  context  of  an  ongoing  campaign  — can  be 
illustrated  through  considering  the  winter  2014  Chi¬ 
nese  attacks  against  Anthem  Inc.,  the  U.S.  healthcare 
system.  Here,  Bill  Gertz  notes: 

Stolen  personal  data  likely  will  be  used  by  Chinese  in¬ 
telligence  services  to  identify,  locate  and  recruit  poten¬ 
tial  agents,  especially  those  in  the  US  government  or 
at  defense  contractors,  or  for  conducting  byer  attacks 
against  specific  high-value  targets.  ...  By  sifting  the 
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stolen  Anthem  data  for  records  on  specific  intelligence 
targets,  the  Chinese  stand  to  gain  a  further  picture  of 
how  to  approach  these  targets.50 


An  article  in  Reuters  similarly  spoke  of  a  "month¬ 
long  battle"  with  the  group  Deep  Panda,  also  known 
as  Shell  Crew,  who  is  believed  to  have  been  active 
since  2011.  The  author  notes  that  the  crew  probed  the 
defenses  of  a  U.S.  company  for  6  months  before  get¬ 
ting  data,  which  were  then  used  to  set  up  a  spearfish¬ 
ing  account  that  company  employees  fell  for,  clicking 
on  a  link  that  installed  malware.  These  steps  then  al¬ 
lowed  Deep  Panda  members  to  "move  freely"  along 
the  system  for  a  period  of  50  days.  The  author  notes 
that  "for  the  next  50  days  the  group  moved  freely, 
mapping  the  network  and  sending  their  findings  back 
to  base."  They  then  returned  3  months  later  with  spe¬ 
cific  lists  of  data  they  wanted,  likely  after  consulting 
with  other  experts.51  (Cilluffo  et  al.  refer  to  such  an 
attempt  as  "preparing  the  battlefield"  for  a  later  as¬ 
sault  through  gathering  intelligence.)52  Indeed,  expert 
Dmitri  Alperovich  has  suggested  that  China  is  carry¬ 
ing  out  a  campaign  that  has  included  the  targeting  of 
state  motor  vehicle  departments  and  U.S.  Investiga¬ 
tions  Services,  Inc.  (USIS),  a  U.S.  contractor  conduct¬ 
ing  security  clearance  investigations.53  It  has  been  sug¬ 
gested  that  perhaps  all  of  the  attacks  may  be  part  of  a 
larger  plan  aimed  at  creating  a  database  of  prominent 
Americans. 

However,  for  the  defender,  it  is  not  always  possible 
to  figure  out  how  the  attacks  are  related,  and  whether 
an  attack  is  simply  a  one-off  event  or  part  of  a  larger 
campaign.  (Here  we  may  think  again  of  Treverton's 
analogy  of  the  mystery  versus  the  puzzle.)  In  con¬ 
trast,  even  in  a  situation  where  a  would-be  attacker 
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appears  to  have  "lost"  by  not  accessing  his  or  her 
target,  the  attacker  may  have  still  "won"  because  of 
gaining  increased  knowledge  about  the  target,  skills 
at  hacking,  and  perhaps  acquiring  an  increased  repu¬ 
tation  within  the  hacking  community  based  on  how 
successful  the  incursion  was.  Thus,  the  payoffs  are 
asymmetric  and  biased  against  the  defender. 

The  Populist  Problem:  Nuclear  Deterrence  Is  an 
Elite  Activity,  While  Cyber-Deterrence  Is  Not. 

A  final  reason  the  nuclear  deterrent  example  is  not 
a  good  model  for  thinking  about  cyber-deterrence  is 
the  difference  between  the  elite,  specialized,  and  clas¬ 
sified  nature  of  nuclear  deterrence  activities  and  the 
more  populist  and  public  nature  of  cyber-deterrence 
activities.  While  one  can  speak  of  "public  moments"  in 
nuclear  deterrence,  such  as  the  Cuban  Missile  Crisis, 
for  the  most  part,  nuclear  deterrence  has  been  a  highly 
specialized,  elite  activity.  Those  who  work  daily  with 
missiles  are  largely  military  personnel  or  contractors 
holding  high-level  security  clearances.  Little  public 
attention  is  paid  to  their  activities  or  to  them. 

In  contrast,  cyber-deterrence  today  may  require 
cooperation  by  all  users  of  a  technology.  Just  as  U.S. 
security  officials  have  enlisted  the  cooperation  of 
American  citizens  in  being  vigilant  against  terrorism, 
campaigns  have  also  asked  Americans  to  pay  atten¬ 
tion  to  their  cybersecurity  —  from  safeguarding  their 
personal  information,  to  choosing  good  passwords 
and  being  careful  not  to  respond  to  phishing  attempts. 
The  problem  is  that  while  deterrence  for  defensive 
purposes  appears  to  require  the  cooperation  of  all  us¬ 
ers,  attacks  do  not.  Instead,  they  may  be  carried  out 
by  groups  like  Deep  Panda  without  citizens  on  either 
side  being  aware  of  them. 
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III.  WHY  BORDER  DETERRENCE  THINKING 
IS  MORE  APPLICABLE  THAN  NUCLEAR 
DETERRENCE  THINKING 

As  the  previous  examples  have  shown,  the  nu¬ 
clear  example  is  not  an  exact  fit  for  those  who  wish 
to  "borrow"  deterrence  strategies  and  apply  them  in 
cyberspace.  Differences  in  the  temporal  frame,  the 
reward  structure,  and  the  elite  versus  populist  strate¬ 
gies  used  suggest  that  applying  the  nuclear  analogy 
may  be  more  confusing  than  helpful.  In  contrast,  as 
I  have  argued  in  Section  I,  a  better  example  may  be 
drawn  from  the  literature  not  on  nuclear  deterrence 
but  on  criminal  deterrence.  In  particular,  the  best  way 
to  think  about  how  to  deter  would-be  aggressors  in 
cyberspace  may  be  to  borrow  key  tools  and  lessons 
from  the  efforts  of  U.S.  border  security  forces,  which 
have  attempted  to  defend  U.S.  borders  from  autho¬ 
rized  real  attacks  in  real  space. 

There  are  several  reasons  the  border  security  anal¬ 
ogy  more  neatly  tracks  with  the  cyber-incursion  situ¬ 
ation.  First,  both  types  of  borders  are  porous  and  dif¬ 
ficult  to  guard.  As  Kelly  Gable  has  written,  the  main 
threats  that  exist  in  cyberspace  come  about  because  of 
inherent  weaknesses,  which  are  built  into  the  structure 
of  cyberspace  and  its  technologies.  Namely,  it  is  leaky 
or  porous;  has  poor  borders,  which  are  not  well  de¬ 
fined  and  are  nearly  impossible  to  police.  She  writes: 

The  primary  security  threat  posed  by  the  internet  is 
caused  by  an  inherent  weakness  in  the  TCP-IP  proto¬ 
col,  which  is  the  technology  underlying  the  structure 
of  the  internet  and  other  similar  networks.  This  un¬ 
derlying  structure  enables  cyberterrorists  to  hack  into 
one  system  and  use  it  as  a  springboard  for  jumping 
onto  any  other  network  that  is  also  based  on  the  TCP- 
IP  protocol.54 
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Clorinda  Trujillo  notes  that  a  number  of  issues 
complicate  the  problem  of  how  best  to  guard  cyber¬ 
space.  The  fact  is,  that  the  assets  that  make  up  cyber¬ 
space  may  be  comprised  of  infrastructure  and  data  be¬ 
longing  both  to  the  government  and  to  corporations. 
In  addition,  the  "borders"  of  cyberspace  may  be  un¬ 
clear,  since  assets  belonging  to  one  country  (like  data) 
in  reality  may  be  housed  in  another  country  (which 
may  maintain  and  house  the  servers).55  Nonetheless, 
since  2006,  the  U.S.  Department  of  Defense  has  main¬ 
tained  a  posture  that  would  deny  entrance  to  potential 
aggressors  who  attempt  to  achieve  objectives  in  U.S. 
cyberspace.  As  noted  in  the  2006  Quadrennial  Defense 
Review,  the  U.S.  posture  serves  both  to  deter  those  who 
would  seek  entrance  to  U.S.  cyberspace,  as  well  as  to 
persuade  would-be  interlopers  not  to  make  the  effort, 
as  they  are  likely  to  fail.56  This  way,  the  U.S.  military 
could  be  said  to  have  already  spent  nearly  10  years 
attempting  to  guard  its  borders  in  cyberspace.  Thus,  it 
is  possible  to  compare  and  contrast  the  efforts  of  U.S. 
border  patrols  in  both  real  space  and  cyberspace  dur¬ 
ing  that  period. 

1.  A  Variety  of  Actors  Involved  in  Creating  and  En¬ 
forcing  Deterrent  Strategies. 

We  can  also  draw  parallels  between  the  variety  of 
actors  involved  in  deterring  border  crossings  in  the 
real  and  virtual  worlds.  In  both  cases,  conflicts  are  cre¬ 
ated  between  a  variety  of  different  state  actors  on  the 
federal,  state,  and  local  levels.  Although  the  responsi¬ 
bility  for  policing  borders  lies  formally  with  the  federal 
Immigration  and  Customs  Enforcement  (ICE)  agency, 
in  reality  the  responsibility  for  identifying  those  who 
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have  breached  our  borders  may  fall  on  state  troopers, 
local  police,  and  even  social  services  agencies  acting 
in  a  border  area.  Illegal  immigration  costs  all  of  these 
organizations  money,  and  it  is  in  the  interests  of  all  to 
cooperate  in  implementing  policies,  which  are  drawn 
on  the  federal  level.  Yet,  in  reality,  with  the  problem 
of  sanctuary  cities,  all  of  these  organizations  may  not 
be  on  the  same  page  in  terms  of  border  security.  All 
may  not  agree  about  the  threat  played  by  territorial 
incursions  or  be  willing  to  commit  their  resources  to 
address  the  problem.  Some  actors,  like  corporations, 
may  even  benefit  from  illegal  immigrant  labor  and 
thus  have  no  vested  interest  in  committing  resources 
to  combat  the  problem.57  Moreover,  as  with  cyberse¬ 
curity,  the  responsibility  for  coordinating  the  dispa¬ 
rate  responses  and  for  making  policy  is  at  the  federal 
level.  That  is,  both  in  virtual  and  in  real  border  secu¬ 
rity,  the  lead  is  taken  by  the  federal  government,  with 
additional  responsibilities  being  parceled  out  to  other 
actors  at  state  and  even  local  levels,  including  appro¬ 
priate  civilian  and  business  authorities.58 

Similarly,  with  incursions  into  cyberspace,  U.S. 
Cyber  Command,  under  U.S.  Strategic  Command, 
is  responsible  for  defending  Department  of  Defense 
computer  systems  and  conducting  full-spectrum 
military  cyberspace  operations.59  However,  as  Trujillo 
points  out,  U.S.  Cyber  Command  does  not  work  alone 
in  defending  American  cyberspace.  Instead,  as  she 
notes,  the  2002  U.S.  National  Security  Strategy  speaks 
of  a  requirement  to  detect  and  deter  international 
espionage  efforts,  which  might  involve  using  cyber¬ 
capabilities.  The  main  responsibility  for  combatting 
such  attempts  is  given  not  to  the  U.S.  military,  but 
to  those  government  agencies  involved  in  enforcing 
trade  agreements  —  including  the  Department  of  Com- 
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merce  and  the  Department  of  Justice.60  This  way,  both 
military  and  civilian  agencies  (including  commercial 
entities)  and  employees  are  asked  to  work  together  in 
protecting  the  "borders"  of  cyberspace. 

In  both  situations,  there  is  a  primary  player  (U.S. 
Customs  and  U.S.  Border  Enforcement,  or  U.S.  Cyber 
Command),  which  is  also  backstopped  by  a  number 
of  players  with  related  missions.  As  Wayne  Corne¬ 
lius  and  Idean  Salehyan  point  out,  the  deterrence 
mechanisms  placed  around  our  nation's  borders  are 
multi-layered,  including  ships,  planes,  advanced 
radar,  and  personnel.61 

Lesson  One:  Both  problems  -  deterring  real  and  virtual 
border  crossings  -  require  a  complex  set  of  deterrence 
solutions. 

These  solutions  must  be  choreographed  by  a  wide 
variety  of  actors,  not  all  of  whom  are  equally  commit¬ 
ted  to  allocating  resources  or  solving  the  problem. 

•  In  both  cases,  it  is  thus  important  to  designate 
a  single  point  of  contact  who  is  responsible  for 
coordinating  diverse  efforts  as  well  as  exploring 
what  might  be  required  to  get  "buy-in"  from 
all  key  actors.  Thus,  we  have  seen  the  appoint¬ 
ment  of  a  Policy  Czar  for  Illegal  Immigration  as 
well  as  a  Special  Assistant  to  the  President  and 
Cybersecurity  Coordinator.62 

•  In  both  cases,  it  is  also  important  to  define 
terms  and  to  make  sure  that  all  players  share 
understandings,  as  well  as  to  define  clearly  the 
sphere  of  responsibility.  Defining  terms  and 
spheres  of  responsibility  is  likely  to  be  a  point 
of  contention  in  both  cases. 
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2.  A  Variety  of  Different  Types  of  Trespassers. 

Next,  in  considering  the  "knowledge  problem," 
the  border  incursion  scenario  more  closely  resembles 
the  cyber-situation  than  the  nuclear  scenario  does.  At 
any  given  time,  U.S.  border  control  agencies  must  be 
prepared  to  fend  off  an  unknown  and  somewhat  un¬ 
predictable  number  of  possible  trespassers  in  a  poorly 
defined  information  environment.  Those  who  seek  to 
access  America's  physical  borders  may  include  men, 
women,  and  children;  they  could  be  career  criminals, 
starving  refugees,  or  possible  terrorists.  The  skills, 
tools,  and  motives  of  the  trespassers  vary  by  status 
and  occupation  and  therefore,  the  same  strategy  for 
preventing  access  may  not  work  for  each  group. 

Similarly,  cyber-analysts  have  identified  seven  dif¬ 
ferent  types  of  "hackers"  or  intruders,  including: 

•  Tool  kits  or  newbies  who  may  follow  instruc¬ 
tions  found  on  bulletin  boards  to  carry  out 
simple  computer  exploits; 

•  Cyberpunks,  who  may  be  interested  in  activi¬ 
ties  such  as  defacing  web  pages,  often  for  po¬ 
litical  or  ideological  reasons; 

•  Internals,  who  may  be  disgruntled  employees 
working  within  an  existing  company's  com¬ 
puter  department; 

•  Coders; 

•  Old  Guard  hackers,  who  may  be  interested  in 
the  intellectual  challenge  of  accessing  a  com¬ 
puter  system; 

•  Professional  criminals;  and 

•  Cyberterrorists.63 
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Siciliano  offers  a  slightly  different  typology  of  possible 
hackers  and  their  motives,  which  are  summarized  as: 

•  White  Hat  Hackers,  who  may  wish  to  test  their 
own  company  or  other  company's  systems  in 
the  hopes  of  identifying  weaknesses  they  will 
then  report  to  the  companies; 

•  Black  Hat  Hackers,  who  usually  work  for  mon¬ 
ey,  hacking  into  systems  illegally; 

•  Script  Kiddies,  who  usually  seek  fame  for  their 
exploits,  often  using  borrowed  programs; 

•  Hacktivists,  who  are  often  motivated  by  poli¬ 
tics  or  religion; 

•  State-Sponsored  Hackers; 

•  Spy  hackers,  who  may  be  hired  by  corporations 
and  may  sometimes  act  as  moles,  working  in 
corporations  to  get  access;  and, 

•  Cyberterrorists.64 

Cilluffo  et  al.  also  point  to  a  variety  of  types  of  adver¬ 
saries,  which  the  United  States  (or  any  nation)  may 
face  in  cyberspace  —  including  foreign  militaries,  for¬ 
eign  intelligence  and  security  services,  nonstate  ter¬ 
rorist  organizations,  nonstate  criminal  enterprises, 
and  hybrid  aspects  (such  as  one  actor  acting  as  a  proxy 
for  another).65 

The  lesson  here  is  clear:  Both  in  real  space  and  in 
cyberspace,  border  crossing  is  an  activity  practiced  by 
different  types  of  people  with  varying  levels  of  com¬ 
mitment  to  achieving  their  target.  Some  are  ranked 
as  amateurs,  while  some  are  professionals.  Some  are 
primarily  motivated  by  benign  reasons,  while  others 
are  not.  Some  percentages  in  each  group  are  terrorists. 
As  John  Mowchan  points  out  in  reference  to  the  cyber¬ 
problem: 
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Non-state  actors  include  hackers,  hacktivists,  terror¬ 
ists  and  organized  crime  groups.  Hackers  are  thrill¬ 
seeking  individuals.  .  .  .  while  hacktivists  use  cyber¬ 
space  to  protest  or  promote  their  political  beliefs.  Both 
usually  don't  possess  the  technical  skills  to  attack  ef¬ 
fectively  government  networks;  however,  state  actors, 
seeking  to  avoid  attribution,  could  provide  them  with 
the  necessary  tools  to  degrade  or  damage  U.S.  govern¬ 
ment  networks.66 

In  each  case,  planners  need  to  design  different  de¬ 
terrence  strategies  for  different  groups  who  may  have 
different  motivations  and  different  levels  of  commit¬ 
ment  to  achieve  their  objectives.  Unfortunately,  as 
Scott  Helfstein  et  al.  point  out  in  their  study  of  nuclear 
terrorists,  a  paradox  exists:  Those  who  are  most  like¬ 
ly  to  be  deterred  from  their  objectives  by  a  show  of 
force  on  behalf  of  the  defender  are  probably  the  least 
dangerous  and  least  committed  intruders.  In  contrast, 
those  who  are  least  likely  to  be  deterred  are  likely  to 
be  well-resourced  (possibly  state-sponsored);  they 
may  also  have  a  higher  level  of  ideological  commit¬ 
ment  to  the  achievement  of  their  objectives.  Indeed, 
it  is  possible  that  those  that  are  strongly  ideologically 
committed  to  an  action  will  be  incapable  of  being  de¬ 
terred  —  since  their  motivations  are  fundamentally 
less  rational.67 

Douglas  Tippett  again  argues  in  favor  of  a  targeted 
deterrence  strategy,  noting  that  a  deterrent  strategy  is 
seen  as  less  credible  if  retaliatory  threats  are  not  ap¬ 
propriate  to  the  actions  being  threatened.  Although  he 
is  speaking  about  our  U.S.  anti-terrorism  strategy,  his 
point  still  holds.  He  argues  that  "policy  threats  lack 
credibility  because  the  signaled  response  to  terrorism 
holds  constant  across  varying  degrees  of  attack  sever¬ 
ity."68  He  suggests  that  those  who  consider  and  plan 
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attacks  are  rational  actors  who  think  through  the  pos¬ 
sible  costs  and  benefits,  as  well  as  the  risks.  If,  how¬ 
ever,  we  accept  that  there  are  different  types  of  actors 
making  these  calculations,  we  might  also  conclude 
that  they  will  not  all  arrive  at  the  same  answer  or  use 
the  same  calculus  in  thinking  about  risk. 

The  Threat  Resides  Both  Outside  and  Within  our  Borders. 

In  addition,  both  those  concerned  with  border  se¬ 
curity  and  those  concerned  with  virtual  security  must 
consider  not  only  those  who  wish  to  access  the  sys¬ 
tem  but  also  those  who  are  already  in  the  system.  For 
both  in  real  space  and  virtual  space,  trespassers  have 
the  ability  to  reside  within  the  system  undetected 
for  a  long  period  of  time.  Accounts  of  the  December 
2014  Sony  hack  point  to  the  fact  that  a  number  of  at¬ 
tempts  were  made  by  the  hackers  to  trespass  into  the 
system.  Hackers  did  not  simply  visit  the  site  once  but 
also  "moved  in,"  succeeding  in  mapping  out  drives 
and  becoming  familiar  with  the  contents  of  the  servers 
before  deciding  how  best  to  attack  them  and  what  to 
release.  Paul  Roberts  refers  to  "low  and  slow"  attacks, 
in  which  people  evaded  notice  and  were  in  the  sys¬ 
tem  for  a  long  time;  he  suggests  that  both  the  attack 
against  Saudi  Aramco  and  Sony  fit  this  pattern.69 

In  addition,  in  both  border  security  and  cybersecu¬ 
rity  situations,  "insiders"  who  are  already  within  the 
system  and  who  may  possess  information  and  intel¬ 
ligence,  which  can  be  shared  with  would-be  intrud¬ 
ers  in  order  to  increase  their  efficacy  and  chances  of 
success,  may  aid  those  who  seek  to  access  the  system. 
Analyses  of  the  cyberattacks  on  Russia's  banking  sec¬ 
tor,  which  took  place  between  2013  and  2015,  point 
to  the  fact  that  the  employees  within  the  organiza- 
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tions  targeted  most  often  provide  the  "way  in"  to  the 
targeted  systems.70  Employees  may  unknowingly  as¬ 
sist  those  attempting  to  access  their  systems  through 
downloading  malware  onto  their  own  computers  as  a 
result  of  opening  e-mails  and  files,  or  they  may  con¬ 
sciously  agree  to  work  with  hackers  attempting  to 
access  a  system. 

Thus,  it  is  obvious  that  in  both  situations,  it  is  im¬ 
portant  to  consider  the  whole  process  or  life  cycle  of 
incursions.  In  describing  how  hackers  can  come  to  own 
a  system,  analysts  often  refer  to  the  so-called  "cyber¬ 
exploitation  life  cycle."  The  cycle  includes  eight  steps: 

•  Initial  reconnaissance  (which  includes  both  tar¬ 
get  selection  and  target  research,  or  "profiling" 
one's  target); 

•  Penetration; 

•  Gaining  a  foothold; 

•  Appropriating  privileges; 

•  Internal  reconnaissance; 

•  Maintaining  presence; 

•  Exfiltration;  and, 

•  Accomplishment  of  the  mission. 

Dimitar  Kostadinov  thus  describes  cyber-exploitation 
as  "an  evolving  occurrence  which  . . .  has  an  inception, 
development,  main  activity/ culmination,  outcome, 
and  eventually  consequences." 71 

In  considering  deterrence  strategies  then,  we 
should  differentiate  strategies  depending  on  the  na¬ 
ture  of  the  attacker  and  the  point  in  the  life  cycle  at 
which  activities  are  occurring.  Just  as  the  majority 
of  those  who  seek  to  enter  the  United  States  illegal¬ 
ly  do  not  ultimately  wish  to  harm  the  United  States, 
some  individuals  who  hack  into  computer  systems 
illegally  may  not  have  malicious  motives  in  doing 
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so.  The  same  deterrent  strategies  will  not  work  for 
all  subgroups  of  "trespassers";  it  is  thus  imperative 
for  those  designing  deterrent  strategies  to  figure  out 
whom  they  wish  to  deter,  and  then  to  design  strate¬ 
gies  aimed  at  those  groups  in  particular.  Here  again, 
a  lesson  may  be  drawn  from  U.S.  immigration  policy 
and  law  in  recent  years.  Particularly  under  the  Obama 
administration,  the  decision  has  been  not  to  "waste 
resources"  on  people  who  are  not  "real  criminals." 
Thus,  the  bulk  of  resources  devoted  toward  combat¬ 
ting  illegal  immigration  have  been  devoted  to  pros¬ 
ecuting  and  pursuing  career  criminals  and  those  who 
are  more  likely  to  harm  the  United  States  through  ac¬ 
tions  such  as  terrorism.  At  the  same  time,  the  United 
States  has  identified  a  low  level  of  illegal  immigration, 
which  it  is  willing  to  accept  without  devoting  resourc¬ 
es  to  pursuance  and  prosecution. 

Lesson  Two:  We  Need  Targeted  Strategies  Against 
Intruders. 

•  In  developing  a  deterrence  strategy  for  pre¬ 
venting  cyber-intrusions,  it  is  important  for 
planners  to  decide  whom  we  most  want  to 
deter  and  develop  a  nuanced  response  in  terms 
of  deterrence  by  design,  by  denial,  and  by  pun¬ 
ishment. 

•  Leaders  need  to  commit  resources  to  stopping 
attacks  at  all  stages  of  the  attack  cycle,  includ¬ 
ing  taking  deterrent  measures  against  those 
already  within  the  system. 
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3.  We  Have  No  Strong  Norms  Against  Incursions. 

Perhaps  the  most  striking  parallel  with  illegal  im¬ 
migration  is  the  fact  that  in  both  cases,  the  U.S.  Gov¬ 
ernment  has  been  unsuccessful  in  establishing  a  norm 
that  would  lead  would-be  intruders  to  change  their 
preferences  regarding  the  practice.  (In  contrast,  Nye 
argues  that  there  is  a  strong  norm  established  against 
the  use  of  nuclear  weapons.72)  Instead,  as  Cornelius 
and  Salehyan  note,  in  the  period  since  the  early-1990s, 
the  U.S.  Government  has  quadrupled  its  spending  on 
border  security,  but  has  not  experienced  a  quadrupling 
of  its  success  in  deterring  illegal  immigration.  Instead, 
they  point  out,  it  simply  costs  more  today  to  capture 
a  would-be  immigrant  than  it  did  in  the  1990s  — since 
the  hiring  of  agents  has  roughly  kept  pace  with  the 
number  of  immigrants  who  now  attempt  to  cross  the 
borders.  However,  the  overall  percentage  of  those 
apprehended  has  stayed  relatively  constant. 

As  a  result,  in  both  immigration  and  cyber-litera¬ 
ture,  analysts  argue  for  the  necessity  of  defining  a  low 
level  of  intrusion,  which  is  seen  as  inevitable  and  ac¬ 
ceptable  though  undesirable.  They  also  argue  for  the 
necessity  of  defining  a  "red  line"  or  level  of  intrusions, 
which  would  be  regarded  as  unacceptable  and  there¬ 
fore  would  receive  some  form  of  retaliation.  In  both 
cases,  there  is  an  understanding  that  no  method  of 
deterrence  will  be  100-percent  effective.  Presidential 
Policy  Directive-20  (PPD-20)  also  acknowledges  this 
problem,  noting  that: 

The  United  States  recognizes  that  network  defense, 
design,  and  management  cannot  mitigate  all  pos¬ 
sible  malicious  cyber  activity  and  reserves  the  right, 
consistent  with  applicable  law,  to  protect  itself  from 
malicious  cyber  activity  that  threatens  U.S.  national 
interests.73 
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As  a  result,  both  in  cyber-deterrence  and  border 
security,  officials  have  begun  to  distinguish  between 
the  types  of  intruders  who  are  most  likely  to  make 
attempts  —  creating  targeted  deterrence  strategies,  de¬ 
pending  on  the  character  of  the  intruder.  However,  the 
decision  of  illegal  immigration  or  to  accept  some  low 
level  of  cyber-intrusion  is  problematic,  because  it  may 
suggest  in  some  way  that  these  activities  that  occur 
below  that  level  are  in  actuality  regarded  as  legitimate 
or  acceptable.  Helfstein  et  al.  made  the  same  argument 
in  describing  the  various  types  of  terrorist  threats  that 
the  United  States  may  face  and  the  different  strategies 
that  might  therefore  be  required.  Here,  they  argue  that 
"by  establishing  a  specific  red  line,  a  state  runs  the  risk 
of  legitimizing  the  more  moderate  but  still  lethal  kind 
of  terrorism  to  some  degree."74 

Lesson  Three:  Accept  the  Impossibility  of  Establishing  a 
Norm  Against  Cyber-Intrusion. 

Planners  may  wish  to  consider  accepting  some  low 
level  of  intrusions  by  those  who  are  merely  annoying 
and  not  harmful. 

4.  We  Are  Fighting  a  Long  War  Against  Illegal  Im¬ 
migration  and  Cyber-Incursions. 

Next,  the  attempts  by  border  authorities  to  pre¬ 
empt,  prevent,  and  respond  to  border  incursions  have 
the  character  of  a  campaign  or  "long  war,"  similar  to 
the  campaigns  of  the  U.S.  Cyber  Command  today. 
Over  time,  combatting  illegal  immigration  can  lead  a 
nation  to  exhaust  itself  economically  and  in  terms  of 
manpower.  Combatting  illegal  immigration  also  has 
a  constant  opportunity  cost,  because  funds  must  be 
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spent  on  border  security  rather  than  on  other  commu¬ 
nity  needs,  such  as  the  need  for  education  or  social 
services. 

Similarly,  within  the  area  of  cyber-defense,  Amir 
Lupovici  refers  to  a  strategy  of  "serial  deterrence."  He 
argues  that  "Cyber-attacks  are  very  likely  to  turn  out 
to  be  manageable  primarily  through  applications  of 
serial  deterrence,  repeated  harmful  responses  over  an 
extended  period,  to  induce  either  temporary  or  even¬ 
tually  permanent  suspensions  of  the  most  bothersome 
attacks  or  attacks  by  the  most  obnoxious  opponents."75 
As  it  relates  to  continual  or  serial  deterrence  against 
illegal  immigration,  the  strategy  rests  on  an  acknowl¬ 
edgement  that  the  "enemy"  will  not  be  completely 
defeated,  although  police  organizations  may  seek  to 
infiltrate  and  destroy  criminal  elements  associated 
with  people  smuggling  and  human  trafficking. 

It  is  also  important  to  recognize  that  in  both  the 
immigration  and  the  cyber  examples,  targets  are  often 
not  fungible.  In  other  words,  if  would-be  immigrants 
are  unable  to  enter  the  United  States  along  its  southern 
border,  it  is  doubtful  that  they  would  merely  choose  to 
enter  another  country  instead.  Similarly,  it  is  unlikely 
that  would-be  entrants  into  American  cyberspace 
could  be  redeployed  to  other  targets  elsewhere.  Thus, 
if  intruders  are  stopped  at  one  entrance,  they  will  not 
abandon  their  quest  for  entry  but  will  instead  choose 
other  less  well-guarded  targets.  They  will  also  not 
make  a  one-time  attempt  at  each  entrance,  but  rather 
will  return  persistently,  seeking  new  weaknesses  and 
points  of  entry,  and  new  means  of  deception  (such  as 
false  papers  or  identifications,  etc.) 
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In  both  the  cases  of  illegal  immigration  and  at¬ 
tempted  cyber-incursions,  it  becomes  clear  that  at¬ 
tempts  at  incursion  are  both  ongoing  and  periodic. 
That  is,  the  number  of  attacks  are  not  constant  over 
time  but  rather  occur  in  somewhat  regular  waves  and 
cycles,  in  response  to  specific  events.  In  the  case  of  il¬ 
legal  border  crossings  and  illegal  immigration,  one 
can  identify  scenarios  in  which  a  short-term  vulner¬ 
ability  is  identified,  such  as  an  unguarded  outpost  or 
a  new  method  of  smuggling.  In  such  a  situation,  one 
can  expect  to  see  a  wave  of  attempts  until  the  receiv¬ 
ing  country  identifies  the  vulnerability  and  closes  it. 

Similarly,  cycles  of  cyber-conflict  may  arguably 
be  both  predictable  and  predicted.  Cyberattacks  may 
increase  in  number  and  intensity  due  to  other  events 
occurring  between  rivals  at  the  time,  in  which  cyber¬ 
attacks  are  merely  part  of  the  strategy  utilized  (i.e., 
Increases  in  cyberattacks  between  Russia  and  Geor¬ 
gia  combined  with  conventional  fighting  between 
rivals).76  They  may  also  increase  as  a  result  of  crisis 
instability.  The  understanding  is  that  a  player  may 
wish  to  exploit  a  short-term  advantage  he  or  she  has 
over  opponents  and  thus  may  be  driven  to  launch 
an  attack  before  the  window  of  vulnerability  against 
those  opponents  is  closed.  A  case  study  of  the  Anunak 
cyber-hacker  group  in  Russia  notes  a  similar  "wave" 
of  attacks  on  the  Russian  banking  sector.  A  new  wave 
of  cyberweapons  to  be  used  for  cyber-incursions  was 
developed,  which  was  then  used  in  a  heavy  series  of 
attacks  throughout  late-2014  until  Russia's  banks  be¬ 
came  aware  of  the  problem  and  sought  to  close  the 
security  hole.77 
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Lesson  Four:  Understand  the  Mindset  of  the  Attacker  and 
the  Nature  of  His  Campaign. 

•  Accept  that  those  who  seek  to  enter  cyberspace 
are  committed  to  this  action.  They  will  wage  a 
"campaign,"  making  multiple  attempts  to  enter 
the  space. 

•  One  set  of  barriers  will  be  insufficient  to  counter 
intruders,  and  no  set  of  barriers  or  set  of  pun¬ 
ishments  will  be  sufficient  to  establish  a  norm 
against  trespassing  or  to  change  the  calculus  of 
those  contemplating  action  against  the  border 
significantly.  In  short,  the  target  is  too  valuable 
and  too  desirable  for  the  would-be  intruders 
simply  to  abandon  attempts  to  access  it. 

•  Accept  that  the  United  States  and  American 
assets  — both  governmental  and  commercial  — 
will  always  be  the  target  of  cyberattacks. 

5.  The  (In)Effectiveness  of  Using  Publicity  to 
Communicate  One's  Commitment  to  Deterrence. 

It  is  widely  acknowledged  that  a  successful  deter¬ 
rence  strategy  often  rests  on  the  ability  of  the  defend¬ 
er  to  communicate  a  policy  clearly  and  explicitly  to 
those  whom  it  is  intended  to  deter.  To  that  end,  some 
cyber-analysts  have  even  voiced  support  for  a  policy 
in  which  the  United  States  would  exercise  great  trans¬ 
parency  in  publicizing  the  capabilities  of  units  such  as 
the  U.S.  Cyber  Command.  As  Lupovici  argues,  such  a 
policy  could  help  communicate  U.S.  resolve  to  defend 
cyberspace.  Toward  that  end,  he  even  suggests  reveal¬ 
ing  budgets,  resources,  and  manpower  dedicated  to 
the  subject  — to  increase  the  credibility  of  the  deterrent 
message.78 
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However,  in  their  study  of  Operation  GATEKEEP¬ 
ER,  an  initiative  launched  in  October  1994  under  the 
Clinton  administration  to  deter  illegal  immigration  in 
the  San  Diego  area,  Cornelius  and  Salehyan  found  that 
high-profile  efforts  at  raising  the  perceived  costs  of  il¬ 
legal  immigration  do  not  always  have  the  intended 
effect.  Operation  GATEKEEPER  included  an  increase 
in  the  number  of  border  patrol  agents  deployed,  the 
number  of  hours  during  which  watch  patrols  were  de¬ 
ployed,  and  in  the  numbers  of  apprehensions  made. 
This  very  public  strategy  was  meant  to  increase  the 
visibility  of  border  agents  and  cause  would-be  immi¬ 
grants  to  reconsider  the  costs  attached  to  their  quest 
and  their  likelihood  of  failure.  The  plan  included  the 
construction  of  70  miles  of  fencing  along  the  border, 
along  with  the  addition  of  remote  surveillance  sys¬ 
tems,  infrared  monitors,  seismic  sensors  that  detect 
footsteps,  helicopters,  and  unmanned  aerial  vehicles. 
At  the  same  time,  a  database  was  constructed  to  track 
repeat  entrants  and  people  smugglers. 

The  authors  note  the  immigrants  interviewed  per¬ 
ceived  that  it  was  now  much  more  difficult  to  cross 
the  borders,  as  well  as  more  dangerous.  Over  half 
were  able  to  name  someone  who  had  died  as  a  result 
of  an  attempted  crossing.  However,  the  authors  still 
brand  the  deterrence  attempt  as  a  failure.  Operation 
GATEKEEPER  and  the  earlier  Operation  HOLD  THE 
LINE  in  El  Paso,  Texas,  were  meant  to  preempt  im¬ 
migration  attempts  and  not  simply  to  capture  more 
would-be  immigrants.  The  U.S.  Government  be¬ 
lieved  that  would-be  immigrants  could  be  dissuaded 
from  attempting  a  crossing  if  they  understood  from 
the  beginning  that  they  were  likely  to  fail  at  their 
attempts. 
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However,  the  authors  suggest  that  Operation 
GATEKEEPER  did  not  have  the  intended  effects.  In 
particular,  it  appears  that  Operation  GATEKEEPER 
may  have  been  effective  in  deterring  "amateur  im¬ 
migrants"  from  attempting  a  border  crossing,  but 
that  it  was  less  effective  in  deterring  professionals, 
including  those  involved  in  organized  crime  and  hu¬ 
man  trafficking.  As  a  result,  they  suggest,  many  more 
families  were  simply  driven  into  the  arms  of  human 
traffickers,  whose  expertise  they  now  relied  on  in  a 
more  risky  and  dangerous  immigration  environment. 
Smugglers  meanwhile  saw  an  increase  in  their  busi¬ 
ness,  along  with  the  ability  to  charge  higher  fees  for 
their  services.79 

Similarly,  Clement  Guitton  questions  whether 
high-profile  attempts  to  "go  after"  hackers  will  be  suc¬ 
cessful.  He  notes  that  while  publicizing  a  campaign 
of  increased  penalties  and  enforcement  may  have  the 
effect  of  reducing  the  number  of  attacks  on  systems  by 
35  percent,  at  least  in  the  short  term,  many  companies 
do  not  want  to  participate  in  such  publicity  campaigns 
because  they  fear  the  effects  on  their  investors  after 
admitting  that  their  companies  have  been  the  targets 
of  hackers.80  In  addition,  raising  the  legal  penalties, 
including  fines  and  jail  time,  for  those  caught  attempt¬ 
ing  to  hack  in,  might  discourage  those  hackers  who 
are  largely  hobbyists,  but  such  disincentives  might 
not  have  the  same  effect  on  those  who  are  hacking  on 
behalf  of  foreign  governments,  including  foreign  mili¬ 
taries  and  intelligence  operations. 

Another  striking  parallel  between  the  immigration 
and  cyber-examples  is  the  fact  that  in  both  cases  there 
is  a  fair  amount  of  confusion  and  misunderstand¬ 
ing  regarding  the  legislation  that  currently  seeks  to 
regulate  and  punish  unauthorized  intrusions  —  either 
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because  legislation  does  not  exist  for  all  situations  or 
because  all  players  are  not  clear  what  the  legislative 
rules  are.  In  both  the  cyber  and  immigration  examples, 
it  is  unclear  under  whose  jurisdiction  the  intrusions 
should  be  prosecuted.  In  the  case  of  cyber-intrusions, 
disputes  have  centered  around  whether  attackers  who 
were  found  responsible  should  be  tried  in  the  coun¬ 
try  where  they  themselves  were  located  while  carry¬ 
ing  out  the  violation,  in  the  state  from  which  the  at¬ 
tack  emanated  (which  might  be  a  third  party  through 
which  traffic  is  being  routed),  or  in  the  country  where 
the  damage  was  actually  inflicted  —  for  example,  upon 
a  computer  located  on  Wall  Street  in  New  York.  Thus, 
it  may  be  unclear  what  criminal  penalties  may  apply.81 

In  addition,  as  Guitton  points  out,  it  is  more  dif¬ 
ficult  to  deter  an  attack  when  hackers  themselves  may 
be  unclear  regarding  the  legality  of  their  actions.  They 
may  not  know  that  their  trespass  is  illegal  (or  may 
claim  not  to  know).  He  notes  that  "deterrence  occurs 
when  a  potential  offender  refrains  from  or  curtails 
criminal  activity  because  he  or  she  perceives  some 
threat  of  a  legal  punishment  for  contrary  behavior  or 
fears  that  punishment."  Therefore,  the  threat  of  pun¬ 
ishment  raises  the  potential  attacker's  perception  of 
the  costs  of  such  conduct.82  However,  attackers  may 
not  fear  punishment  if  they  do  not  realize  that  these 
actions  are  illegal.  Similarly,  in  the  spring  and  summer 
of  2014,  many  families  sent  their  unaccompanied  chil¬ 
dren  to  the  United  States  illegally  because  they  mis¬ 
understood  the  terms  of  the  amnesty  that  President 
Obama  had  offered  to  U.S.  children  who  had  been  in 
the  United  States  illegally  for  a  longer  period  of  time. 
They  sent  their  children  to  the  United  States,  believing 
that  it  was  legal  to  do  so.83  Here  again,  efforts  at  deter¬ 
ring  such  actions  failed,  largely  because  the  signaling 
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message  was  not  clearly  communicated  to  its  target 
nor  understood. 

In  both  cases,  the  United  States  is  also  constrained 
because  of  its  own  commitments  to  uphold  the  U.S. 
Constitution  and  respect  the  rule  of  law,  even  when 
intruders  do  not.  In  combatting  illegal  immigration, 
the  United  States  is  to  some  degree  constrained  by 
its  own  laws  and  policies  —  including  rules  that  allow 
for  the  granting  of  citizenship  to  illegal  children  born 
within  our  borders  as  well  as  the  need  to  provide  ille¬ 
gal  citizens  with  healthcare,  education,  and  other  ser¬ 
vices  and  rights.  Similarly,  Paul  Rosenzweig  argues 
that  U.S.  deterrence  efforts  are  weakened  due  to  the 
requirement  that  the  United  States  combat  cyberat¬ 
tacks  within  the  bounds  of  its  own  Constitution  and 
rules. 

Lesson  Live:  Consider  How  Best  to  Communicate 
Deterrent  Policies  but  Recognize  the  Limitations 
on  Doing  So. 

•  Consider  that  some  audiences  will  be  more 
receptive  to  a  deterrent  message  than  others. 
Consider  who  will  be  deterred  as  a  result. 

•  Consider  the  costs  of  transparency  and  whether 
the  risks  of  transparency  outweigh  the  reward 
of  deterring  potential  attackers. 

•  Work  with  all  partners  to  develop  clear  pen¬ 
alties  for  would-be  intruders  and  to  resolve 
issues  of  jurisdiction. 
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6.  The  Problem  of  Asymmetric  Payoffs:  Intruders 
Have  Little  Incentive  Not  to  Try  Again. 

Like  the  cyber-deterrence  problem,  the  border  in¬ 
cursion  problem  rests  on  a  system  of  uneven  rewards. 
In  both  situations,  those  who  seek  to  trespass  or  access 
a  system  are  often  multiple  offenders  who  learn  some¬ 
thing  each  time  they  make  an  attempt,  whether  or  not 
they  are  successful.  An  attempt  thus  costs  little  while 
promising  a  reward  with  either  success  or  failure.  The 
penalty  for  would-be  immigrants  who  are  caught  is 
usually  a  bus  ride  to  the  U.S.  border,  from  which  they 
may  again  commence  attempts  to  access  the  United 
States.  It  is  thus  not  surprising  that  in  both  situations, 
individuals  make  multiple  access  attempts.  The  re¬ 
ward  system  is  thus  asymmetric  between  intruders 
and  those  who  seek  to  defend  a  space.84 

Thus,  as  Espenshade  points  out  based  on  his  study 
of  undocumented  immigrants  in  the  United  States, 
when  a  would-be  immigrant  may  be  unsuccessful  at 
traversing  a  border  at  one  point,  he  or  she  will  seldom 
abandon  those  efforts.  Instead,  the  would-be  immi¬ 
grant  will  simply  change  tactics  and  targets.85  Thus, 
the  would-be  immigrant  might,  for  example,  "up  the 
ante"  by  hiring  a  professional  coyote  to  assist  him  or 
herself  and  family  with  the  border  crossing  if  he  or 
she  is  unable  to  carry  out  these  plans  independently. 
Here,  we  can  draw  a  parallel  between  the  foreign 
government  and  corporation  that  outsources  hack¬ 
ing  through  purchasing  the  services  of  mercenary 
hackers.  Espenshade  notes  that: 

Among  questionnaires  administered.  .  .  .  The  number 

of  attempts  was  always  one  greater  than  the  number  of 

apprehensions;  That  is,  all  migrants  simply  tried  until 
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they  succeeded.  Apprehended  or  not,  every  migrant 
who  attempted  to  enter  the  US  eventually  got  in.86 

Espenshade  notes  as  well  that  the  would-be  im¬ 
migrant  might  also  choose  a  different  point  at  which 
to  attempt  a  border  crossing  — for  example,  to  flee 
through  a  rural  desert  area  rather  than  along  a  main 
route. 

In  the  language  of  deterrence,  the  choice  to  find 
a  different  path  for  achieving  a  target  is  referred  to 
as  "designing  around"  a  particular  state's  deterrence 
policies.87  One  can  quote  Thomas  Schelling's  finding 
that  "if  deterrence  fails  it  is  usually  because  someone 
thought  he  saw  an  'option'  that  the  American  govern¬ 
ment  had  failed  to  dispose  of,  that  it  hadn't  closed."88 

In  both  the  border  security  and  the  computer  secu¬ 
rity  scenario,  one  can  thus  see  that  deterrence  strate¬ 
gies  often  fail  because,  as  Jervis  notes,89  a  state  often 
tries  to  deter  others  from  taking  specific  actions  rather 
than  attempting  to  deter  all  actions  aimed  at  a  specific 
objective.  As  a  result,  the  state's  opponent  can  figure 
out  how  to  "go  around"  barriers  to  realize  the  objec¬ 
tive.  Case  studies  in  criminology  often  reveal  a  failure 
of  imagination  on  the  part  of  would-be  deterrers.  They 
simply  cannot  think  of  all  the  possible  ways  open  to 
the  other  person  to  change  the  status  quo  —  even  ways 
that  in  retrospect  seem  obvious. 

As  Sarah  Bohn  and  Todd  Pugatch  argue,  states  that 
engage  in  large-scale  deterrence  initiatives,  such  as 
hiring  an  extra  1,000  police  officers  to  engage  in  border 
patrol  activities,  may  end  up  simply  transferring  the 
problem  to  their  neighboring  states,  who  become  the 
new  targets.  That  is,  deterrence  strategies  may  make 
sense  for  one  locality,  but  they  do  not  eliminate  the 
problem  — they  simply  transfer  it  to  a  new  location.90 
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Thus,  any  attempt  to  deter  incursions  at  one  point 
along  America's  borders  may  succeed  in  the  short 
run,  but  it  will  not  fundamentally  solve  the  problem 
of  ending  illegal  immigration,  since  it  is  impossible 
for  the  United  States  to  devote  the  same  amount  of 
resources  to  watching  every  point  along  America's 
borders  with  the  same  degree  of  scrutiny. 

Lesson  Six:  Understand  the  Mindset  of  Attackers, 
Including  How  They  Think  About  Reward  and  Risk. 

•  Know  that  attackers  may  work  together  in  for¬ 
mal  or  informal  coalitions  to  share  information 
about  weaknesses,  and  undefended  borders. 

•  Realize  that  if  intruders  are  "deported"  or 
kicked  out  of  the  system,  they  will  not  merely 
return  home,  but  will  instead  attempt  re-entry. 
Some  will  succeed  in  gaining  entry  but  will  not 
immediately  reveal  themselves  as  intruders. 
Instead,  they  may  seek  to  assimilate  or  hide 
within  the  system,  in  some  cases  behaving  as 
legal  entrants  for  a  period  of  time.  (In  the  case 
of  cyber-intruders,  they  later  reveal  zero-day 
exploits.) 

•  Consider  how  to  establish  mechanisms  that 
would  penalize  would-be  intruders  —  and  their 
"sponsors"  — for  failed  attempts,  thereby  rais¬ 
ing  the  costs  of  an  attempt.  How  much  might 
U.S.  defensive  measures  cost  to  would-be  in¬ 
truders  —  either  in  terms  of  damage  to  their 
physical  equipment  or  their  professional  repu¬ 
tations?  Perhaps  the  United  States  could  estab¬ 
lish  a  database  of  cybercriminals  and  implement 
penalties  such  as  denying  student  visas  (or  all 
visas)  to  suspected  cybercriminals.  Could  the 
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judicial  system  treat  trafficking  in  code  simi¬ 
larly  to  drug  trafficking?  Perhaps  credentialing 
agencies,  which  vouch  for  a  computer  expert's 
knowledge  and  skills,  could  "disbar"  suspected 
cybercriminals  in  the  same  way  that  physicians 
or  lawyers  could  lose  their  licenses  for  unethical 
behavior.  Could  an  attempt  to  enter  a  system 
be  met  with  some  form  of  physical  response, 
which  would  destroy  the  hacker's  equipment, 
costing  him  resources  and  time?  There  are  op¬ 
portunities  here  if  we  are  able  think  creatively! 

7.  We  Need  a  Strategy  and  Not  Merely  a  Set  of 
Tactics. 

The  final  lesson  for  cyber-deterrence  that  we  can 
derive  from  an  analysis  of  border  deterrence  is  that 
what  is  needed  is  a  long-range,  nuanced  strategy  — 
which  takes  into  account  the  causes  of  the  problem, 
the  motives  of  the  sponsoring  country  and  the  eco¬ 
nomic  and  political  factors  that  act  in  concert  with 
the  specific  problem.  That  is,  what  is  needed  — both 
in  the  cyber-realm  and  in  the  actual  border  security 
realm— is  not  merely  a  set  of  tactics  to  respond  to 
particular  incursions.  As  Cilluffo  et  al.  have  noted, 
planners  need  to  fight  the  tendency  to  craft  a  deter¬ 
rent  or  defense  strategy  that  is  incident-driven  or 
ad  hoc,  marshalling  resources  only  to  respond  to 
particular  incursions  without  considering  the  big 
picture.91 

Those  who  study  border  security  speak  of  two 
types  of  factors  that  create  illegal  immigration:  Push 
factors  refer  to  events  or  incidents  in  the  sending 
country,  which  make  it  an  undesirable  place;  while 
pull  factors  refer  to  the  factors  that  make  the  United 
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States  so  attractive  a  target  for  would-be  immigrants. 
This  paradigm  acknowledges  the  reality  that  those 
who  seek  to  evade  border  security  do  not  come  from 
nowhere  and  that  in  many  instances  the  sending 
country  may  be  complicit  in  producing  the  stream  of 
illegal  immigrants.  Thus,  a  strategy  for  reducing  the 
problem  would  hold  the  sending  country  responsible, 
as  well  as  working  cooperatively  with  that  country  to 
reduce  the  factors  that  produce  the  immigrant  stream. 
In  some  instances,  when  a  nation  is  felt  to  be  complicit 
in  allowing  illegal  immigration  to  a  neighboring  coun¬ 
try,  it  may  be  necessary  for  the  receiving  country  to 
sanction  or  punish  the  sending  country  until  it  takes 
responsibility  for  the  problem. 

The  border  security  literature  is  also  helpful  in 
suggesting  that  illegal  immigration  might  be  thought 
of  as  a  symptom,  rather  than  the  problem  itself.92  In 
particular,  the  need  for  individuals  to  traverse  borders 
to  secure  gainful  employment  suggests  a  market  fail¬ 
ure,  since  employees  are  not  available  in  the  locations 
where  they  are  needed,  and  jobs  are  not  available  in 
other  regions.  Again,  what  is  needed  is  a  comprehen¬ 
sive,  international,  long-term  strategy  for  addressing 
that  market  failure  or  overabundance  of  employees  in 
one  region.  A  truly  comprehensive  strategy  for  deter¬ 
ring  illegal  immigration  to  the  United  States  would 
necessitate  a  working  relationship  between  the  U.S. 
and  Mexican  governments  to  provide  economic  op¬ 
portunities  for  Mexican  citizens  within  Mexico  itself, 
as  well  as  pressuring  the  Mexican  government  to 
provide  better  healthcare  and  education  and  fewer 
human  rights  abuses. 

Similarly,  a  comprehensive  cyber-deterrence  strat¬ 
egy  would  necessitate  identifying  the  nations  that  are 
likely  producers  of  the  majority  of  cyberattackers,  and 
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it  would  require  that  the  U.S.  Government  sit  down 
with  its  counterparts  to  consider  the  motivations  of 
cyberattackers  as  well  as  the  complicity  of  the  sending 
state.  Here,  sticks  and  carrots  could  be  used  to  forge 
a  more  cooperative  relationship  with  the  sending  na¬ 
tion.  That  is,  one  could  also  rely  on  the  proposed  cy¬ 
ber-strategy  of  "entanglement"  to  create  structures  in 
which  both  the  target  and  the  producer  of  the  cyberat¬ 
tack  are  affected  by  the  damages  that  have  been  cre¬ 
ated  and  in  which  both  have  an  incentive  to  cooperate 
so  as  to  not  produce  further  attacks.93 

Lesson  Seven:  Recognize  That  Cyberattacks  Do  Not 
Arise  in  Isolation  and  Cannot  Be  Solved  in  Isolation. 

Work  to  develop  deterrent  strategies  that  take  this 
perspective  into  account. 

•  Recognize  that  cybersecurity,  like  immigra¬ 
tion,  needs  to  be  addressed  as  part  of  a  broader 
conglomeration  of  issues.  As  Rosenzweig  has 
noted,  cybersecurity  should  not  be  addressed 
only  on  a  military  level  through  military-to- 
military  actions;  it  needs  to  be  considered 
within  a  broader  constellation  of  national  and 
international  issues  (including  economic  com¬ 
petitiveness,  etc.).94 

•  Recognize  as  well  the  importance  and  flexibil¬ 
ity  provided  through  a  policy  that  allows  the 
United  States  to  respond  to  cyberattacks  not 
only  with  cyberweapons  but  also  with  other 
means  — such  as  economic  or  political  ones. 
This  policy  is  referenced  in  the  2011  U.S.  Inter¬ 
national  Strategy  for  Cyberspace.95 
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CONCLUSIONS 


As  this  Letort  Paper  has  shown,  it  is  too  simplistic 
to  merely  map  the  existing  nuclear  deterrence  litera¬ 
ture  in  talking  about  deterrence  in  cyberspace.  Cyber¬ 
space  has  many  unique  facets,  as  does  cyber-conflict, 
that  do  not  exactly  line  up  with  the  issues,  assumptions, 
and  strategies  utilized  by  those  engaged  in  nuclear 
conflicts.  Indeed,  it  may  be  that  there  are  other  analo¬ 
gies  —  such  as  the  immigration  analogy  —  that  provide 
a  better  fit  for  thinking  through  the  best  strategies  for 
deterring  cyber-incursions.  The  immigration  analogy 
is  particularly  useful  for  exploring  how  would-be 
intruders  learn,  how  they  think  about  the  costs  and 
benefits  of  launching  an  incursion,  and  how  they 
would  work  together  to  share  and  draw  up  informed 
strategies.  As  noted,  this  analogy  also  helps  those 
seeking  to  defend  a  border  or  target  to  understand 
the  importance  of  working  together  so  that  targets  are 
effectively  shut  down  rather  than  merely  shifted.  Fi¬ 
nally,  this  analogy  is  important  in  considering  the  long¬ 
term  nature  of  cyber-defense  and  the  ways  in  which 
one  must  address  the  underlying  structural  factors, 
which  both  create  the  problem  and,  hopefully,  contain 
its  solution. 
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